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INTRODUCTION 


A technology  has  evolved  to  secure  a general  purpose  computer 
utility*  again* t the  compromise  and  sabotage  of  .Information,  Thin 
technology,  called  security  kernel  technology,  la  a disciplined 
approach  to  providing  effective  Information  accuse  controls  within  a 
computer  system. 

A security  kernel  is  an  Isolated,  protected,  and  highly  reliable 
component  embedded  within  a computer's  operating  system.  A combina- 
tion of  both  hardware  and  software,  a security  kernel  monitors  and 
controls  all  accesses  lo  Information,  permitting  or  denying  access 
in  accordance  with  a specific  security  policy. 

While  it  may  be  theoretically  possible  to  implement  a security 
kernel  on  any  machine,  certain  hardware  architectural  features  are 
very  important  to  Implement  effectively  three  essential  characteris- 
tics of  a security  kernel,  which  are  discussed  later.  As  will  be 
evident  shortly,  not  sll  of  the  important  hardware  features  are 
supplied  as  standard  or  optional  featurus  on  all  commercially 
available  computers. 

Smith  [ l]  defined  and  described  the  important  hardware  features 
and  also  compared  five  large-scale,  commercial,  third  generation 
computers  to  evaluate  the  suitability  of  each  for  an  effective 
security  kernel  implementation.  The  five  machines  represented  a 
broad  range  of  architectural  philosophies,  but  each  possessed 
sufficient  computational  capacity  to  provide  a general  purpoae 
computer  utility,  The  Honeywell  6180  and  Digital  Equipment  Corpora- 
tion KI-10  were  found  to  be  the  best  candidates,  with  the  6180  pro 
vldlng  Just  about  all  of  the  important  features.  The  IBM  370  and 
Xerox  Slgmu  9 were  judged  to  be  difficult  architectural  bases  for 
an  effective  security  kernel  implementation,  while  the  Burroughs 
B6700  was  considered  an  extremely  poor  choice. 


* A general  purpose  computer  utility  is  defined  here  as  a 

multiprogramming,  roaourceeshariitg,  computer  system  designed 
to  support  Interactive  and  batch  processing  and  to  be  accessible 
to  multiple  users  concurrently. 
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Present  ly , many  small  to  mod  tun)  scale  computer  systems  are 
marketed  tor  use  an  general  purpose  eomputat lonal  utilities.  l'hls 
report  will  compare  and  evaluate  against  the  Important  hardware 
architectural  features,  minicomputer  systems  offered  by  ten 
different  vendors:  MODOOMP,  DAI A GENERAL,  GENERAL  AUTOMATION, 
VAKIAN,  PRIME,  DIGITAL  EQUIPMENT  CORPORATION,  HONEYWELL,  IBM, 
INTCHDATA,  and  HEWLETT-PACKARD. 

The  remainder  of  this  section  will  provide  background 
Information  on  security  kernel  technology.  In  Section  11  the 
specific  hardware  features  that  serve  us  the  criteria  for  the 
evaluation  are  developed.  The  results  of  the  evaluation  are 
documented  in  Section  111  and  u conclusion  is  presented  In  Section 
IV. 


BACKGROUND 

Information  Security  and  Privacy 

There  are  many  commercial,  industrial,  military,  and  government 
environments  with  requirements  for  general  purpose  computer 
utilities  - frequently  minicomputer  based  - that  permit  the  sharing 
of  programs  and  data  bases  among  users  of  the  utility,  while 
maintaining  the  security  of  information  where  essential  and  the 
privacy  of  information  where  desired. 

The  need  to  maintain  the  security  of  information  is  roost 
visible  in  systems  with  requirements  for  multilevel  secure 
lutormst ion  processing.  Many  military  and  government  environments 
have  experienced  Increasing  demands  to  process  concurrent Iv 
information  at  multiple  levels  of  classification  on  the  same 
machine.  It  those  demands  are  to  be  satisfied,  effective 
information  access  controls  must  be  provided  to  maintain  the 
segregation  of  multilevel  Information  and  to  Insure  that  Individuals 
cannot  gain  access  to  information  classified  above  thoiv  level  of 
c lea ranee. 

The  need  to  maintain  the  privacy  of  Information  is  evident  in 
just  about  any  computer  utility.  An  owner  of  a program  or  data  file 
- particularly  a proprietary  program  or  sensitive  data  file  - must 
be  confident  that  only  (owner)  designated  Individuals  are  permitted 
to  access  the  file. 

An  effective  security  kernel  implementation  provides  the 
required  security  and  privacy  controls.  By  creating  an  environment 
in  which  all  accesses  to  information  must  occur  through  the  kernel, 
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I he  security  and  privacy  of  lulormat  Ion  r.m  In*  guarunt  cod.  By 
prevent  lug  unauthor  tied  accesses  to  l nt  orueit  Ion,  tlu>  kernel 
eliminates  from  tho  computer  utility  the  throats  of  unauthorized 
viodif  loat  ion*  dostruet  ion,  and  purloining  of  information. 

Sorority  Kuruol  Technology 

Sinew  tlui  latu  19bU'a,  tho  United  States  Air  Foreu  (Electronic 
Systems  Division  (USD)  has  sponsored  research  and  development 
activities  in  the  area  of  computer  system  security  [2].  In  1972  KSD 
funded  a Computer  Security  Technology  (Manning  Study  Panel  to 
Investigate  nud  report  on  computer  security  Issues,  including  the 
Issue  of  insuring  the  security  and  privacy  of  information  In  a 
general  purpose  computer  utility  (J).  Tho  panel's  conclusion  was 
that  the  operating  system  of  a secure,  general  purpose  computer 
utility  should  include  an  isolated,  protected,  and  reliable 
mechanism  known  as  a reference  monitor.  The  reference  monitor  would 
guarantee  tho  aocurtty  and  privacy  of  Information  by  mediating  and 
controlling  all  references  (accesses)  to  information*  A security 
kernel  la  the  realization  in  hardware  and  software  of  tho  reference 
monitor  concept. 

The  panel  recognized  that  the  ef fectivenoss  of  the  information 
access  controls  is  a critical  consideration.  Clearly,  it  must  not 
be  possible  to  either  circumvent  or  subvert  the  access  controls.  Ah 
tho  panel  recognized,  efforts  to  secure  an  operating  system  by 
either  discovering  and  fixing  all  of  Uh  "holes",  or  by  constructing 
a set  of  security  features  upon  an  existing,  non -secure  operating 
system,  stood  little  chance  at  success.  The  former  approach  is 
tneftecttve  because  the  absence  of  holes  can  never  be  demonstrated, 
only  the  inability  to  find  them.  The  latter  approach  ts  Ineffective 
because  the  security  controls  are  butlt  upon  a non-aocuro  operating 
system  which  can  be  penetrated,  and  the  security  controls  at  the 
outer  level  can  be  circumvented  or  subverted  [4). 

The  only  viable  approach,  the  panel  concluded,  was  to  include 
security  as  a central  consideration  or  goal  during  the  design  and 
development  of  an  operating  system.  The  design  process  should  start 
with  the  formulation  of  a mathematical  mode l of  a secure  computer 
system  based  on  the  reference  monitor  concept.  Once  a model  is 
established  and  proved,  a primitive,  secure,  machine  that  embodies 
the  reference  monitor  concept  ts  then  designed,  specified,  and 
Implemented.  This  primitive,  secure  machine  consists  of  a base 
computer  architecture  - supplemented,  of  course,  by  hardware 
toutufos  Important  to  an  effective  security  kernel  implementation  - 
and  a small  amount  of  highly  reliable  security  kernel  software. 
Because  of  the  requirement  for  high  reliability,  it  must  be  possible 
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to  demonstrate  oi  prove  t hue  the  primitive,  secure  machine 
faithfully  Implements  the  mathematical  model.  Finally,  with  proof 
of  the  primitive,  secure  machine  accomplished,  an  operating  system 
la  deal  guild  and  implemented  upon  the  secure  machine.  Since  the 
operating  system  is  itaolf  cunatrainod  by  the  access  controls 
provided  by  the  primitive,  sucuru  machine,  it  is  a secure  operating 
system.  Any  software  system  constructed  upon  the  primitive,  secure 
machine  and  constrained  by  its  accuas  controls  la  a secure  software 
nyutuBi. 

Mathematical  Model 


USD  sponsored  several  efforts  (5,  6]  to  develop  n mathematical 
model  of  u secure  computer  system  based  on  tho  reference  monitor 
concept.  The  specific  security  policy  that  tho  moduis  were  to 
enforce  was  Lite  Department  of  Defense  security  policy  of  clearances 
mid  classifications,*  In  practice,  clearances  are  assigned  to  all 
uaoru  of  the  computer  system  uud  classifications  are  attached  to  all 
Information  stored  with  tho  system. 

One  model,  the  Hell  and  Utl’adula  model  17),  is  tho  fundamental 
basis  of  all  security  kerne L development  activities  at  The  MlTRl! 
Corporation,  The  Bell  and  lail’nduln  model  defines  a reference 
monitor  baaed,  secure  computer  system  in  termB  of  subjects,  objects, 
mid  mathematical  axioms  that  govern  subject  accesses  to  objects. 

Subjects  are  Information  accessors,  the  active  system  elements 
such  as  users  and  processes  operating  on  their  behalf  that  read  and 
write  Information. 

UbJoelH  are  system  elements  accessed  by  subjects;  they  are 
passive  elements  that  serve  as  information  containers.  11  xa tuples  of 
objects  are.  program  and  data  tiles  which  are  stored  in  main  memory 
mid  on  peripheral  storage  media. 

The  reference  monitor  maintains  tho  clearances  of  subjects  and 
the  c Insult lout UniH  of  objects,  and  it  mediates  and  controls  all 


♦Security  levels  are  assigned  to  individuals  (clearances)  and 
Information  (class ll lent  Ions ) . A security  level  is  composed  of  « 
linearly  ordered  classification  level  (l.e.,  Unclassified, 

Coni  Ideal  la  l , Secret,  Top  Secret)  and  a set  oi  compart  moots  (u.g., 
NATO,  China,  Nuclear). 
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subject  accesses  to  objects  in  accordance  with  security  policy. 
The  policy  consists  of  a non-dlscretlonary  security  policy  and  a 
dlucrul Lottery  sueurity  policy. 


Non  nUjieret  ionary 


Non-dlscrot lonary  security  policy  is  defined  by  two  model 
axioms!  t ho  simple  security  condition  and  the  ^-property. 

The  simple  socurity  condition  governs  a subject 'a  read  and 
execute  accesses  to  objects.  It  states  that  a subject  may  road  or 
execute  an  object  It  tho  clearance  ol!  the  subject  dominates*  the 
classification  of  tho  subject.  Tito  simple  security  condition  is 
drawn  directly  from  Del)  security  policy!  its  intent  is  to  prohibit 
users  from  obtaining  Information  that  they  are  not  cleared  to  see. 

The  *-p roper ty  governs  subject  write  accesses  to  object  a.  It 
states  that  a subject  may  write  into  an  objuet  If  the  clan a If icat ion 
of  the  object  is  greater  than  or  equal  to  the  clearance  of  the 
subject.  Stated  another  way,  tho  *-propurty  stipulates  that  a 
subject  cannot  write  into  an  object  classified  at  a level  lower  than 
the  clearance  of  the  subject . The  *-proporty  la  designed  to  prevent 
a program  operating  on  behalf  of  a user  from  reducing,  accidentally 
or  otherwise,  e.g.,  via  a "Trojan  Horse"  l#J  the  classification  of 

tut  or mat  ion. 

When  an  individual  is  granted  a clearance,  he  is  charged  with 
responsibility  for  maintaining  the  claaalf icat ion  of  classified 
lutormat ion.  Normally,  when  the  Individual  is  working  with  pencil 
and  paper,  we  can  trust  the  tools  tie  is  working  with  not  to 
compromise  information,  since  the  Individual  has  very  direct  control 
over  the  pencil  and  paper.  However,  the  tools  a computer  utility 
may  provide  cannot  be  similarly  trusted  and  must  be  denied  write 
access  to  objects  of  lower  e..lasa if  leaf.  Iona.  This  Is  a consequence 
oft  the  limited  and  Indirect  control  the  individual  has  over  the 
software  operating  on  hla  behalf,  the  amount  of  information  that  may 
be  compromised,  the  speed  with  which  the  compromise  may  occur,  and 
the  dill  lenity  In  detecting  the  violating  program. 


*A  clearance  Is  greater  than  or  equal  to  a classification  If i 1) 
the  classification  level  of  the  clearance  la  greater  than  or  equal 
to  the  classification  level  ol  the  classification,  and  *)  the  set  of 
compartments  of  the  clearance  is  a superset  of  the  set.  of 
compart inents  of  the  classification. 


The  otto c t of  ^-property  enforcement  on  a computer  utility  1b 
to  purtitlon  the  Inf ormatlon  Htore  Into  multiple  levels  of 
classif icatlun  and  to  confine  each  information  object  to  its 
associated  partition,  and  thereby  preventing  thu  migration  or 
leakage  of  information  acroaa  partition  boundaries, 

Discretionary  Security  Policy 

Discretionary  security  is  DoD'b  nood-to-know  security  policy j 
Lt  states  that,  in  addition  to  being  properly  cleared  to  access  some 
particular  piece  of  information,  the  user  must  hove  a vulid 
Justification  for  accessing  the  information.  The  implication  1h 
that  the  "owner"  of  u piece  of  information  may  decide  to  grant 
another  individual  access  to  the  information,  provided  the 
individual  is  properly  cleared  uud  has  the  nood-to-know. 

In  the  modul,  then,  in  addition  to  maintaining  the 
classification  of  all  objects,  the  reference  monitor  maintains  an 
access  control  list  for  each  object.  The  access  control  list,  which 
may  bo  manipulated  only  by  thu  object's  owner,  designates  those 
subjects  that  have  beun  granted  access  to  the  object  and  their 
permitted  modes  of  access. 

Thus,  when  a subject  attempts  to  access  un  object,  the 
rofuruuco  monitor  will  verify  that,  for  the  requested  mode  of 
accuBB,  both  non-discrotionary  and  discretionary  policies  are 
salisf led. 

Integrity 

If  the  simple  security  condition,  *-proporty,  und  uccohb 
control  1 1 b t s are  properly  unforced  by  the  reference  monitor, 
classified  Information  is  protected  from  accidental  or  malicious 
disclosure  to  unauthorized  users.  However,  au  presented  above,  the 
modul  doos  not  yet  protect  classified  information  a gal oat 
unauthorised  modification  or  destruction.  As  formulatod,  the  *- 
property  permits  a aubjnet  to  write  into  an  object  classified  at  a 
level  above  the  subject's  clearance.  There  is  nothing  to  prevent  a 
subject  from  overwriting  sensitive  information  that  the  subject: 
cannot  otherwise  read,  For  example,  the  model  ponnLts  a top  secret 
p recess  to  execute  an  unclassified  procedure,  since  execute  access 
is  equivalent  to  reud  access  in  the  model.  If  the  unclassified 
procedure  is  untrustworthy  (i.e,,  coded  by  an  uncleared 
individual),  there  Is  nothing  to  prevent  lt  from  destroying  top 
secret  information  that  is  accessible  to  the  process. 
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lUha  ha*  expanded  the  Moll  and  l.al'adula  model  to  address  tho 
problem  of  Intormatlon  sabotage  [‘J).  in  addit  ion  t o attaching 
security  lovuls  to  subjects  and  objects,  tho  retorouce  monitor  also 
maintains  an  integrity  level  for  ail  subjects  and  object*.  A simple 
Integrity  condition  and  Integrity  *-propurty  nro  doflnod  that  aro 
tho  duality  of  tho  simple  security  condition  and  ^-property.  Tho 
integrity  axiom*  prevent  a aubjuct  of  high  integrity  from  accessing 
data  or  procedure  object*  of  lower  integrity.  Low  integrity 
procedure*  may  only  bo  uued  by  aubjuct*  of  equivalent  integrity,  and 
only  data  object*  of  equivalent  integrity  aro  aocuuHtblo.  The 
aahotago  oi  high  integrity  information  by  low  integrity  procedure* 
in  therefore  prevented. 

Security  Kernel  Kouulromonts 

Tluoo  requirement*  for,  or  characteristic*  of,  an  effective 
security  kernel  Implementation  were  identified  by  the  panel. 

They  a re  I 


1.  tho  complete  mediation  of  all  information  accesses t 

.1.  the  iHolatiou  and  protect  ion  of  the  Hoeuvity  kernel  from 
penetration  and  subversion}  and 

,1.  the  conn  intent  and  reliable  enforcement  oi  the  security 
pel  ley. 

The  hardware  foaluroH  that  const  flute  tho  evaluation  criteria  are 
derived  directly  t rom  the  three  requirements.  The  feature*  are 
introduced  here  In  general  term*  and  are  move  fully  developed  in 
tied  Ion  1 1 • 


Pomp loto  Medial  ion 

To  Hlato  this  requirement  In  the  abstract  terms  of  the 
mathematical  model,  the  security  kernel  must  intervene  and  mediate 
all  accesses  to  objects,  by  subject*. 

Object*  have  boon  defined  a*  information  repositories  within  a 
computer  system,  such  as  program  and  data  tiles,  and  I/O  storage 
devices.  Ml  objects  res  hie  on  some  type  of  memory,  either  main 
memory,  secondary  memory  (disks  and  drums),  or  peripheral  memory 
(magnetic  tape,  paper  tape,  punched  cards,  magnetic  bubble  memory). 

Subjects  have  boon  defined  as  users  and  processes  operating  on 
behalt  of  user*.  The  security  kernel  deal*  most  directly  with 
processes,  which  may  bo  defined  tu  any  number  of  ways.  A process  t* 
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do C t ned  hurt)  ss  a collection  of  active  objects  (resources)  and  a 
process  state.  A process'  address  space  is  another  torn  for  the 
collection  of  active  accessible  objects;  the  address  epece  includsa 
all  programs  that  may  ba  executed,  ae  well  aa  all  data  fllsa  and  I/O 
devices  that  may  be  read  or  written,  the  process  state  contains 
statue  Information  about  the  process*  e.g.*  e uecurlty  level*  an 
Integrity  level*  end  an  execution  point.  Since  the  definition  of  a 
process  may  also  include  a buffer  area  for  interprocaea 
communication  maaaagaa*  processes  are  objects  ee  well  aa  aubjecta. 

1/0  channels  for  direct  memory  access  (DMA)  1/0  devices  are 
another  type  of  subject.  1/0  channels  are  small-scale  processing 
units  that  uxucute  1/0  programs  to  move  blocks  of  data  between  main 
memory  and  high-speed  1/0  devices.  1/0  channels  are  programmed 
(Initialised)  via  commands  from  the  central  processor.  Aa  active 
system  entities,  the  security  kernel's  access  controls  must  also  be 
applied  to  thu  operation  of  all  1/0  channels* 

To  restate  the  requirement  for  complete  mediation  of  all 
Hubjuct-objuct  accuaaoa,  a security  kernel  must  mediate  alii 

1.  process  accesses  to  main  memory ; 

2.  process  accesses  to  1/0  storage  devices  | 

J.  1/0  channel  accesses  to  main  memory; 

4.  1/0  channel  (and  1/0  device)  accesses  to  processes 

(interrupts);  and 

b.  process  accesses  to  other  processes. 

Thu  requirement  for  complete  mediation  of  all  procssa  accesses 
to  main  memory  implies  that  the  security  kernel  muni  verify  a 
process*  access  rights  on  all  lotches  and  stores  to  main  memory. 
Clearly,  some  additional  circuitry  must,  be  present  within  the  main 
memory  addressing  mechanism  to  check  each  and  every  access  by  the 
central  processing  unit  to  main  memory.  A virtual  memory  addressing 
system  can  provide  this  accuse  chocking  circuitry.  Virtual  memory 
is  a memory  management  scheme  designed  to  support  an  environment  for 
multiprogramming  by  partitioning  total  physical  memory  into 
distinctly  accessible  storage  blocks.  To  support  a multiprogramming 
environment  where  programs  and  date  may  he  shared  among  processes, 
without  one  procuHs  destroying  another,  thu  virtual  memory  system 
will  verify,  at  a minimum,  road  and  write  access  rights  on  all 
accussuM  by  thu  central  processor  to  main  memory. 
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The  second,  third*  and  fourth  typos  of  subject-object  accesses 
above  Imply  that  tho  security  karoo l moat  bo  roaponalblo  for 
Inpul/oulput  access  controls.  A sufficient  solution  to  insuring 
security  kumui  mediation  of  all  1/0  accesses  is  to  pormit  only  tho 
kernel  to  perform  1/0*  Privileged  1/0  instructions  are  one  moans  of 
restricting  1/0  capability  to  the  kernel.  Privileged  instructions 
may  bo  oxocutud  only  when  tho  central  processor  is  operating  In 
"pr Ivlloged"  mode*  by  permitting  only  kernel  software  to  run  in 
"privllegud"  mode*  only  the  kernel  can  do  1/0. 

There  are  other  ways  of  restricting  1/0  device  accuss  to 
aucurlty  kernel  softwaru.  Some  architectures  pormit  the  central 
processor  to  address  1/0  duvicu  registers  like  main  memory.  Since 
the  security  kernel  will  maintain  contrul  over  the  virtual  memory 
addressing  mechanism*  it  cun  restrict  the  physical  memory  addresses 
of  1/0  device  registers  to  Its  own  address  space*  1/0  duvlce 
registers  can  bo  made  Inaccessible  to  user  software. 

Ideally,  user  software  should  be  permitted  to  perform  1/0  undor 
minimal  security  kernel  control*  This  would  reduce  kurnul 
responsibility  for  1/0*  making  the  kernel  smaller*  less  complex,  and 
more  easily  veil  t ied,  hardware  mechanisms  that  make  user  1/0 
possible  are  discussed  In  Section  11. 

The  final  type  of  subject -object  access  impliuB  kernel 
mediation  and  control  of  Interprocess  communication,  l PC  control  is 
part  ol  the  kernel's  overall  responsibility  for  control  of  system 
processes  (creation*  deletion,  and  switching  of  proeeNHus).  Most 
process  control  functions  will  be  Implemented  within  tho  software 
portion  of  the  security  kernel.  However,  certain  types  of  hardware 
features  are  Identified  In  Section  11  that  facilitate  the  kernel's 
process  control  responsibilities* 

Isolation  and  Protection  from  Subversion 

As  the  focal  point  of  Information  access  control,  tho  security 
kernel  must  be  protected  from  unauthorised  modification  and 
tampering  flint  could  render  It  ineffective. 
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Arch  t t cct  ttnil  Happen  tor  the  notion  of  execution  damn  1 hh  * 
provide**  ait  i'iiv t roumcnt  lit  whti’h  the  iaolatlcui  and  prot eel ton  of 
tioe.urity  kernel  component!*  can  be  naaurcd.  1‘he  concept  fa  well 
defined  ami  dutv a back  to  tho  day a of  the  early  hatch  monitor 
ayatoma  when  tho  Importance  of  protecting  auporvlaory  program*  uttd 
data  bnaoa  from  tho  vdgartuu  of  uaer  aoftwaro  waa  flrat  recount  rod. 
On  thoao  oarly  ayatema  two  domatna  or  mode*  of  execution  wor« 
typically  provided t ttaor  artd  aupotvlaor.  A Hold  within  tho 
central  proouaaor'a  atattta  rogixtur  indicated  tho  current  ntodo  of 
o ace  nt  l on.  llaor  aoftwaro  ran  In  utter  rondo  • which  wan  unprivileged, 
while  anporvlttory  aoftwaro  ran  In  auporvlaor  mode,  which  waa 
privileged.  Privilege  meant  t it  nt  certain  (privileged)  Inal  met  Iona 
could  ho  executed,  From  tho  perspective  of  protect  ing  auporvlaory 
aoftwaro*  tho  Important  privileged  tnatrnctloua  wore  thoao  that 
manipulated  memory  prolcctlon  featured , alnco  they  could  So  lined  to 
protect  memory  aroaa  whore  tntporvlaory  aoftware  roalded*  1 /i» 

Inat  fuel  lotttt*  Jta  noted  In  the  piece  ding  aubaoetlou,  wore  a l ho 
privileged,  ho  that  the  tutporvltiov  could  control  the  movement  of 
ttaor  programa  and  data  Into  and  out  of  main  memory. 

Security  kernel  aoftwavc,  ot  cotirac,  would  run  within 
privileged,  ttupervlaor  executlott  domain.  By  properly  managing  the 
virtual  menxiry  uyatem,  the  kernel  would  protect  itaelf  from  uaer 
aoftwaro  eottl  lited  to  mu  within  unprivileged  execution  domain. 

The  concept  ot  a hardware  ring  Htructure,  t trat  dcttcrlhed  hy 
Siiltxer  and  Schtoodor  111),  la  a part  iculartxat  lott  of  execution 
donut  ina  to  a virtual  memory  envlrottmotu . Ilardwitre  rlttga  extend  tho 
two  domain  arrangeitx'tu  Into  a mult  iple  number  of  dotiwtltta  which  are 
hierarchical  ly  at  met  tired  or  linearly  ordered  lit  torma  ot  aeeean 
rlghta  to  virtual  memory  ob|eeta.  Conceptually  hardware  rlttga  are 
attangod  conceal  r l ca  l ly  , with  the  lunerntoat  ring  moat  privileged  and 
the  nut  eiT.toal  ring  leant  privileged.  On  a ring  ayatem  the  addveaa 


Ml  ta  Important  to  tnuo  tmnx'dlaiely  that  "domain"  ta  uaed  here  In 
i He  aettae  ot  hardware  provided  "exec til  Ion  domalua",  following  the 
terminology  ot  much  ot  the  literature  provided  by  computer 
Hvtutil act ut  ci a , and  Ih  dlat  lugulahed  i rent  the  net  leu  ot  "pint  ect  lott 
domatna",  which  ta  the  Hub.)ect  »i  much  rexearch  In  computer  aeettrltv 
face  ileterenee  UM  and  (a  tnoatly  ptovldod  In  aotiwuve  through 
cap, tb 1 1 tty -baaed  addt eaa tug. 
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space  ot  a process  oonMiHtM  of  a number  of  virtual  memory  objects, 
each  of  which  bus  been  assigned  to  a specific  ring  (or  rings)  of 
execution.  Thu  address  apace  la  really  dynamic , changing  an  the 
process*  ring  of  execution  changes*  When  the  execution  point  of 
process  moves  Into  an  inner  ring*  its  address  apace  increases  aa 
more  objects  become  aceaaible  and  acceaa  rights  to  previoualy 
accessible  objects  increase.  Newly  accessible  objects  are  those 
which  have  been  assigned  to  the  inner  ring*  Converuely  the  address 
space  of  a process  doo.ruasoa  as  its  point  of  execution  moves  into  an 
outer  ring*  As  Interring  transfers,  particularly  inward  ring 
transfers,  are  carefully  controlled,  objects  assigned  to  Inner  rings 
can  be  protected  from  processes  executing  in  outer  rings. 

From  above,  another  form  of  privilege  Is  the  ability  to  oxucute 
privileged  machine  Instructions*  On  ring  systems  privileged 
Instructions  are  executable  only  by  processes  operating  within  the 
innermost,  most  privileged  ring. 

On  ring  systems  security  kernui  software  must  execute  within 
the  InuermoHt  ring*  King  machines  permit  the  Implementation  of  a 
distributed  kernel*  which  means  that  kernel  procedures  and  data 
bases  assigned  to  the  Innermost  ring  can  be  included  within  the 
address  space  of  user  processus*  Not  all  kernel  softwaru  would  be 
so  distributed,  of  course;  only  those  procedures  and  datu  bases  that 
should  be  accessible  to  user  software  would  bo  distributed* 

Correct  Operation 

The  final  security  kernel  requirement,  the  consistent  and 
reliable  enforcement  of  the  security  policy,  Is  without  doubt  the 
most  difficult  to  satisfy*  The  operation  of  the  security  kernel 
must  be  provubly  correct,  so  that  the  existence  of  Implementation 
hugs  that  might  be  exploited  by  direct  software  attacks  can  be 
dismissed.  This  requirement  for  provably  correct  operation  has 
motivated  the  development  of  a formal  design,  implementation,  and 
verification  methodology  in  security  kernel  technology* 

The  methodology  employs  a series  of  successively  less  abstract 
representations  of  a security  kernel  implementation,  with  a proof  of 
correspondence  between  ouch  representation  and  Its  preceding,  more 
abstract  representation  [12]. 

Starting  with  the  security  policy  to  be  enforced  by  the  kernel, 
the  I irst  representation  is  a mathematical  model  of  an  abstract, 
secure  computer  system  based  on  l ho  reference  monitor  concept.  The 
dell  and  Lal’adula  model  has  been  described  above  [7]  . The  next 
cepreseulat l on  In  the  series  Is  u formal  top-level  specification  of 
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ilu1  Input  /output  behavior  of  the  security  kernel,  using  n 
specification  technique  originally  proposed  by  Hamas  [ill]  and 
extended  by  Price  [14].  Milieu  hub  developed  a technique  to 
demount rate  that  the  top-level  specification  coup  lion  with  the 
axioms  of  the  mathematical  model  [15].  The  next  atop  in  to 
implumont  the  software  portion  of  the  kurnel  dualgn  on  the  proper 
hardware  bane,  and  to  prove  that  the  implementation  correuponda  to 
its  top-level  upectf ieat ton.  Kail man  and  Milieu  have  devlaed  a 
kernel  implementation  and  proof  of  corructnuaa  strategy  [16],  drawn 
from  tochniquob  developed  at  Stanford  Research  InatLtutu  [17],  that 
Involved  the  decomposition  of  the  kurnel  Into  hierarchically 
Htrueturod  levels  of  abstraction.  The  final  atep  In  the  bertea  la  a 
uboable  uecure  maehtno  in  execution,  obtained  by  compiling  the 
kernel  boftwuro  developed  In  the  preceding  atop.  To  complete  the 
verification  methodology,  pmof  of  a correct,  compilation  muat  be 
demount rated.  Further  research  In  this  area  of  verification  ia 
needed. 

The  firat  two  atupa  of  the  methodology,  model  and  top-level 
spuelf ioatlon,  are  Independent  of  any  particular  hardware  base.  The 
third  atep  la  the  Implementation  of  kernel  aoftware  on  a proper 
hardware  baao.  Hardware  featurua  that  make  a nutchlue  u proper  ha wo 
are  thoau  that  contribute  to  a clean  and  efficient  ruallaatiou  of 
the  aubject  and  object  model  abstract  lotta.  The  voault  ia  a small, 
well  organised,  and  understandable  Implementation,  one  that  1h 
receptive  to  complete  texting  and  verification  of  correct 
performance. 

A virtual  memory  organ  teat  ton  ia  a deairablc  feature  In  thin 
regard  becauae  tt  cunt ri but ea  to  a homogeneous  object  atructure 
where  objucta  are  acceaaed  In  a aimilar  fashion,  domplute 
homogeneity  of  object  Htructure  la  supported  by  thoae  archltecturea 
whore  1/0  devlcea  are  alao  accessed  via  the  virtual  memory  system. 

The  aubject  abatraclton  In  supported  by  hardware  features  that 
permit  a clean  and  efficient  multiple  proceaa  atructure.  Again,  a 
virtual  memory  organisation  can  assist  hero  by  providing  a aultaMe 
environment  for  multiprogramming  and  by  defining  a per  process 
addreaa  apacu  In  terms  of  object  deacrlptora.  Hardware  assistance 
for  a Cast  and  etfleleut  proceaa  switch  and  Interproceaa 
communication  alao  contribute  to  an  otteettvo  multiple  process 
env 1 ronmont • 


18 


SECTION  11 


EVALUATION  CRITERIA 

Thu  evaluation  criteria  are  drawn  directly  from  a not  of 
architectural  feature*  previously  identified  by  Burke  [18]  an 
coatribut inn  to  an  officlunt  and  effeotlvu  security  kernel 
Implementation  on  a minicomputer  wyst  om* 

Some  of  the  foaturou  wore  Introduced  In  the  preceding 
discussion  on  security  kernel  requirements.  Mention  won  made  nt  the 
need  to  control  processor  accesses  to  main  memory  and  I/O  deviooM  t o 
satisfy  the  requirement  for  complete  mediation.  Virtual  nnnnory  wan 
Identified  as  one  means  of  manuglng  and  cent  roll  lug  a e ccs  sos  to  main 
memory,  and  privileged  I/O  Instructions  were  described  aa  a 
Hiiti  lciunt  moans  of  restricting  1/0  capabilities  to  kernel  software. 
Domains  of  execution  and  the  more  apeclfie  notion  of  coaeontric 
rlnga  were  noted  a»  effective  mechanisms  for  lowering  tin*  laolat  lea 
and  protection  of  kernel  hardware  and  Hoftwaru.  And  finally*  the 
requirement  ior  aocurity  kernel  verification  demanded  a clean  and 
well  structured  kernel  software  implementation,  facilitated  by 
teatuvea  that  contribute  to  a good  realisation  of  wubjoct w * via  a 
rnbuat  multiple  proceaa  envl ronmoat,  and  objects,  via  a doNcriptor- 
baaed,  virtual,  memory  organisation* 

The  criteria  are  presented  under  four  functional  aroaa*  from 
above!  virtual  memory,  I/O  occouu  control,  execution  dumalnw,  and 
multiple  process  control*  In  each  area  both  essential  and 
convenient  leaturoH  are  developed.  The  eaaeutial  featurow  are  .1  uw t 
that  - those  toaturow  In  each  area  that  are  absolutely  necessary  to 
watluty  the  roqul foments  for  an  effective  aecurlty  kernel 
imp  1 erne  mat  Ion*  Convenient  features  provide  doalrahle  capabf  lit  tew 
In  Hardware,  capabllitte*  that  would  otherwise  be  provided  by  kernel 
aoltware.  Convenient  features  may  contribute  to  the  efficiency  el  a 
kernel  Implementation,  to  the  verification  of  kernel  software  (by 
reducing  ItH  size  and/or  complexity),  or  to  the  support  of  a 
mull  Hovel  secure  application  system* 


VIRTUAL  MEMORY 

Virtual  memory  Is  a somewhat  overworked  and  frequently  misused 
term,  a term  which  to  moat  individuals  frequently  connotes  only  the 
notion  ot  a very  large  per  process  address  space*  The  term  Is  often 
applied  to  memory  management  systems  that  are  really  mapped  memory 
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:» y it  ( o mm  • Most  ot  the  minicomputers  that  are  ovitltniiftl  imp  port  us  an 
optional  feature  a memory  mapping  via  1 1 that  portwl t it  tho  expansion  ot 
watit  memory  beyond  standard  capacity.  These  machines  are  typtcally 
lt>  bit  machines  that  form  16~b.lt  effective  program  addresses  and 
support  a pur  process  address  space  ot  &4K  by  ton  or  word* , depending 
upon  tho  addressable  unit.  Even  with  the  HMD  a ltd  expanded  matii 
memory,  tho  per  process  address  apace  - now  called  a logical  or 
virtual  addroHH  apaco  - remains  at  64K,  Expanded  main  memory  la 
usually,  but.  not  necossarl ly , sotae  multiple  of  64 K,  and  the  MMU  maps 
oath  process*  virtual  addroaa  apuce  Into  a 64E  physical  addroatt 
apace  In  main  memory. 

i 

Conversely,  other  machines  aurvoyod  (1‘RltlK,  St'OMl*)  form 
ettoottvo  program  addroHHoa  larger  than  lb  blta  (tt  length,  something 
like  lb,  .!l),  or  *.2  btta.  Theao  machine  a provide  a much  larger  per 
proceaa  virtual  addreaa  apaee  (c.g, , lib  Ml  worda  on  tho  PKIMK 
machines),  clearly  much  larger  than  the  amount  of  phyaleal  main 
memory  that  la  currently  practical  to  attach.  Thee o machines  more 
e lonely  contorm  to  tho  common  notion  of  a virtual  memory  aval  cm. 

Hie  dial  Inct  lotta  between  mapped  and  virtual  memory  are  not 
critical  a a tar  aa  the  evaluation  la  concerned,  other  than  the 
conatderal ion  that  a very  large  per  process  virtual  addreaa  apaee 
permtta  a very  rnbunt,  multiple  process,  computational  environment* 
Hie  important  character  tat  lea  of  both  mapped  and  virtual  memory 
organlaal IvHta  are  tl\e  tollowtngl 

1)  Total  phvalcal  memory  apace  la  organlaod  Into 
and  acceaaed  In  terms  of  logical  storage  units  called  either 
pages  or  segments.  I'ages  are  fixed  length  units,  usually 
something  like  M»,  1,0J4,  or  J.lHH  words /bytes  in  length. 
Segments  are  variable  length  units,  olton  with  some 
maximum  length  del  lued  somewhere  on  tho  order  of  UK 
or  hsK  worda  or  bytes.  Whereas  segments  are  generally 
large  enough  to  accommodate  most  programs  and  data  files, 
several  pages  are  required  tn  a paged  organlaal ton. 

Some  sy  a Lenta  provide  a segmented  -paged  organ!  cat  l on 
whore  each  augment,  consists  of  an  Integral  number  of 
pages,  up  t o some  maximum  number  ot  pageH.  In  a 
segment ed-paged  system,  only  tho  accessed  page  ot  a 
segment  must  be  resident  In  nwtln  memory. 

.!)  The  page  or  segment  corresponds  to  an  object  In  the 
mat  hemal ioa 1 model.  The  virtual  address  space  ot  a pvocess 
Is  a collection  ot  currently  accessible  objects,  a set  of 
active  pages  or  segments.  An  object  Is  made  accessible 


« 


% 


l»  added  to  thi'  table  of  active  object  descriptors  for 
tin:  process.  The  object  la  thereof  tor  accessed  (addressed ) 
through  Ua  descriptor.  Tito  table  of  active  object 
descriptors  U a convenient  dot  ini t ion  of  tlto 
process  virtual  address  apace. 

J)  Program  effective  addreaaea  are  virtual  or  logical 
aedruaaoa.  They  are  two-component  addresses,  witere 
tlto  firat.  component  la  a logical  page  or  segment  mi  mb  or  - 
In  of  foot  an  index  into  tlto  active  object  descriptor 
table  - and  tlto  second  component  la  a word  or  byte  offset 
location.  The  first  component  ia  titled  to  locutu  the 
doacriptor  for  the  object  within  the  process'  active* 
object  tables  among  other  itoma,  the  doacriptor  may 
contain  the  main  memory  location  of  the  start  of  the  ^ 
object.  Tlto  second  component  is  added  to  the 
atarting  location  to  compute  an  effective  phyaical  ^ 

addroaa  In  nutitt  memory.  If  the  addressed  object  Is  not 
currently  roaidont  in  main  memory,  as  dutected  by  the  memory 
mapping  unit  from  a flag  within  the  object's  descriptor, 
a fault  1h  generated  during  uddrusa  translation  and 
a (kuvnul)  software  routine  ia  initiated  to  move  the 
object  into  main  memory  front  secondary  (diac  or  drum)  memory. 
A paged  virtual  memory  orgauUation  is  advantageous  to 
memory  management  because  only  the  accessed  page  of  a program 
or  data  file  must  be  moved  into  main  memory. 

4)  Regarding  tlto  requirement  for  complete  mediation,  the 
most  Important  characteristic  la  that,  in  most  cases, 
all  effective  program  addresses  formed  by  a process 
are  virtual  addresses  and  must  be  translated  into 
physical  main  memory  addresses.  During  address  transla- 
tion, the  mapping  hardware  verifies  that  the  attempted 
mode  ot  access  is  valid.  The  descriptor  for  the 
accessed  object  includes  information  defining  the  process' 
access  rights  to  the  page  or  segment.  At  a mini mu  in  the 
access  control  Information  will  support  write  protection, 
whoro  a bit  within  the  descriptor  must  bo  set  to  permit 
write  acccHS  to  the  object.  Typically  the  mapping 
hardware  will  provide  an  unmapped  mode  of  operation,  when 
etloctlve  nddroHHcs  are  treated  as  physical,  not  virtual, 
addresses  and  access  protection  chocks  may  be  disabled. 

(The  unmapped  mode  of  operation  would  be  restricted  to 
kernel  software).  User  software  will  run  under  mapped 
mode,  so  that  all  main  memory  accesses  are  mediated. 
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b)  As  lor  supporting  tl»e  subject  and  object  abstractions, 
the  active  object  table  la  a succinct  definition  of  the 
address  space  of  a process.  Descriptors  are  used  to  define 
the  locations  of  objects  as  well  ah  a process'  access 
rights  to  thorn*  Within  a virtual  memory  environment,  the 
active  objoct  table  embodies  most  of  the  Information  that 
defines  a process.  (In  a kernel  based  Recure  operating 
system,  the  table  is  manipulated  by  process  management 
software  modules  within  the  kernel!  objects  are  udded 
to  the  table  upon  user  process  request,  provided  the 
simple  security  condition  and  ^-property  are 
satisfied.)  When  a process  is  allocated  usage  of  the 
central  processor,  its  table  must  be  made  acceaslble 
to  the  address  translation  hardware.  For  moBt 
mapped  memory  systems,  this  means  that  an  image 
of  the  table  is  loaded  from  memory  into  a set  of  address 
translation  or  mapping  registers  in  hardware  or,  of  ton.  In 
fast  somi -conductor  memory.  For  most  virtual  memory  systems, 
this  means  that  a single  register  is  loaded  that  points  to  the 
table  somewhere  in  main  memory;  since  descriptors  must 
bo  fetched  from  main  memory  for  address  translation, 
adding  overhead  to  the  time  spent  during  address  trans- 
lation, a fast  access  cache  is  typically  provided  to 
hold  frequently  used  descriptors. 

On  at  least  one  virtual  memory  architecture  (SCOflP),  1/0  devices 
are  supported  oh  part  of  the  virtual  environment.  Descrip- 
tors are  used  to  define  1/0  devices.  A device  is  made  accessible 
to  a process  whan  a descriptor  for  it  is  included  within 
the  process'  active  object  table.  The  process  accesses 
the  device  in  terms  of  u virtual  device  address  and  the 
mapping  hardware  translates  the  access  into  an  effective 
access  to  a physical  1/0  device.  The  result  Is  a complete 
homogeneity  of  object  structure  in  which  all  model  objects 
are  accessed  in  a similar  fashion,  i.e.,  by  virtual  addresses 
that  are  translated  Into  physical  memory  addreBBes,  or 
physical  1/0  device  accesses,  using  Information  contained 
within  process  local  object  descriptors. 

essential  Features 


Paucd  or  Segmented  Virtual  Memory 

It  must  be  clear  that  a virtual  memory  system  Is  an  esssentiul 
architectural  feature.  Cither  a paged  or  a segmented  organization 
will  do.  Doth  can  provide  an  effective  environment  for  multiple 
processes,  both  require  addresB  mapping  circuitry  and  can  therefore 
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provide  access  cheeking  during  address  translation.  Perhaps  the 
Ideal  organization  la  a segtnented-pagud  arrangement , with  aeeuas 
rights  applied  at  the  segment  level  ami  segments  partitioned  Into 
pages  Cor  efficient  memory  management. 

Null.  Read-Execute  Total  Access  Hiatus 

At  a minimum  null,  read-execute,  and  total  (o.g. , road-wrlto- 
exucute)  access  permiaaiona  should  be  supported  on  a par  page  or  pot 
augment  basis.  The  model  axioms  require  the  capability  to  segregate 
read  uccous  from  write  access.  Null  access  means  that  no  objoct  Is 
aaaociatod  with  the  descriptor  addressed  by  tho  first  component  of 
thu  virtual  uddtusa;  such  an  attempted  access  should  generate  an 
internal  interrupt  (or  fault),  as  should  all  access  violations 
detected  by  thu  mapping  hardware. 

Convenient  Features 


A finer  grain  of  access  permission  is  desirable.  It  would  be 
convenient  to  be  ablu  to  grant  a process  any  subset  of  the  following 
act  of  access  rights:  null,  read,  execute,  and  write.  Lacking  such 
fine  granularity,  read-only  and  uxecute-only  assess  permissions 
would  be  very  helpful.  Two  other  convenient  features  within  virtual 
memory  object  descriptors,  referenced  and  modified  flags,  are 
helpful  to  virtuul  memory  management. 

Read-Only 

Read-only  access  permission  is  helpful  because  it  can  prevent  a 
process  from  executing  a data  file.  This  is  basically  a validity 
chuck,  but  some  applications  have  a requirement  for  no  user 
programming  and  read-only  permission  makes  this  possible. 

llxecute-Only 

Kxucute-only  access  is  helpful  in  that  proprietary  programs  can 
be  protected.  Programs  stored  in  execute-only  objects  can  be 
executed,  but  not  read  and  copied. 

Referenced  Flag 

A referenced  flag  la  set  within  a virtual  memory  object 
descriptor  when  tho  object  is  accessed  by  a process.  A referenced 
flag  1s  helpful  to  memory  management  software  when  it  must  decide 
(e. g. , least  recently  used  algorithm)  what  object  (s)  in  main  memory 
can  be  replaced  by  other  virtual  memory  objects. 
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Unbilled  I'1 1 a^ 

SI  ml  lurly.  a iikmIII  Iril  I Ian  Is  set.  when  a prm'i'HH  writes  lul.u  an 
object.  An  object  that  Ims  be«in  modi  t ied  must  be  copied  back  to 
secondary  memory  when  It  1m  replaced  in  main  memory » ot.lierwi.Hc  the 
modification  Is  of  foot  l vcly  low  L • 


I/O  AOOliSS  CONTROL 

A vlrtnu.1  memory  addressing  mechanism  that  media ten  all.  process 
accesses  to  main  memory  Ih  alone  lnaiilliclc.nl  to  aatlaly  tally  the 
runniromuut  tor  complete  modi at  Ion.  As  information  Ih  u.Iho  h to  rod 
on  and  access tblo  from  peripheral  a to  nine  devices,  an  affective 
aeo.urity  kernel  nmat  control  the  movomont  of  information  to  and  from 
I/O  dev  Icon. 


All  of  i lie  machines  covered  by  thin  evaluation  are  baaed  on  a 
Inin  a t rue t. u rod  architectural  where  the  functional  modules  of  the 
minicomputer  uyHtem  - 01*11,  multi  memory,  I/O  devices  - are  attached 
to  a common  data  and  control  path  called  a Ihih.  The  Inm  in  the 
medium  for  Intermodule  cominunieat  ion.  Briefly,  one.  module 
communicates  with  another  by  first,  nalninp,  control  of  the  bust 
second,  specifying  the  module  to  be  communicated  with  by  put.tl.iift  its 
address  on  the  bus  and  wait  tug  for  acknowledgement:  i and  third, 
putting  the  Informal.  Ion  to  be  transf  erred  on  the  bua.  Input /output, 
occurs  over  the  bus  whon  data  is  transferred  between  an  1/0  device 
and  either  a Ill’ll  or  main  memory  module. 

Two  very  dlttorent.  forms  of  t /l)  must  be  considered,  slow  speed 
and  high  speed.  Slow  speed  1/0  la  also  called  programmed  1/0 
hccuusc  the  central  processor  Is  Involved  In  the.  transfer  of  each 
and  every  word  or  hyle  of  data.  Slow  speed  data  transfer  results 
Irani  t lie  execution  of  1/0  Instructions  by  the  central  processor. 

The  processor  first  cxc.cut  os  an  Instruction  to  determine  whether  an 
I/O  device  Ih  ready  to  perform  1/0.  The  Instruction  Includes  the. 
device's  bus  address  and  effectively  rends  the  device's  status 
register  over  the  bus.  If  the  device  is  ready,  the  processor  will 
oxooufo  an  Instruction  to  read/write  a word  nr  byte  of  data  rom/to 
t In*  device.  On  a road,  the  1/0  instruction  sends  a control  word 
over  the  bus  Instructing  the  device  to  read  a word  or  byte  from  Its 
siorage  media  and  to  put  it  on  I ho  bun  for  the  eentral  processor. 
i'n  a write,  the  Instruction  puts  a control  word  on  the  bus  Informing 
I ho  device  that  it  will  bo  written  on,  followed  by  the  data  for  the 
device.  While  the  above  Is  a very  general  description  of  programmed 
I/O  on  a bua  struclnred  architecture,  it  Ih  meant  to  convey  the 
not  Ion  that  the  central  processor  performs  I/O  by  common  1 cat  lag  with 
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I hi-  hi, hum,  control,  and  data  reglstcra  of  an  1/0  device  over  thi> 

Inin.  Programmed  I/O  ltt  uautui  only  with  n low  speed  1/0  ili'Vlri'H  like 
terminals,  unit  record  devices,  amt  paper  tup  mi. 

high  speed  I/O  Involves,  natural ly » high  spued  devices  Ilka 
magnet  In  discs  mu)  drums.  IH^h  speed  .1/0  Involves  only  mint  nut  l 
rout  rat  p rowan  nor  Involvement . , an  Information  la  tranaf or rod 
directly  bolwuuu  tho  high  speed  storage  mod  In  and  mala  memory.  Hind 
speed  devices  aro  a Lho  ch 1 led  diruct  memory  a nr oh a (DMA)  dovlonat 
once  lull.  I a tod  and  atartud  by  tbu  central  proraaMor  • a DMA  do  v loo 
worku  In  parallot  with  the  Ill'll  and  competes  with  It.  for  aceoHH  to 
tint  In  memory.  l'ak  t up  magnet.  Iw  dines  aa  an  example,  several  dine 
drlvi’M  may  bo  cent  rot  led  by  a single  iIIho  control  unit.  Oltou  a 
apueial  luted  proi'.oHH  lug  unit  oallod  an  I/O  channel  will  connect 
nuvoral  dine  control  lorn  lo  tins  bum  The  central  processor 
lnUlallzoa  (programs)  tbu  I/O  clmnuot  for  each  DMA  trauHter.  DMA 
truest ora  move  data  In  blockn  and  lul t lal t unit  Ion  Involves  tho 
upui' t f lent  I on  of  a particular  device  and  other  parametofM  for  tho 
transfer  i o.g. , local  Um  of  the  luf or mat  ton  on  the  device,  starting 
adilrotih  mid  lengt  h of  block  In  main  memory,  and  direct  Ion  ol 
transfer.  The  central  procoaaor  tultlallaea  the  t.  taunt:  or  by  panning 
control  Information  over  the  Ihih  to  the  I/O  channel.  After 
lull  lal  Untiim  the  central  prncoanor  startu  tho  chaituol  In  op  oral  ion 
and  in  no  longer  Involved  In  tho  transfer  nut  II  It.  rocotvoH  an 
Indication  that  thu  tranufur  la  complete  or  that  aomethlng  Iwih  gone 
wrung, 

Kuuenllal  feature 

Access  to  I/O  Dev  Icon  la  Pont  rolled 

It  Ih  essential  that  a mlulcemput el  provldun  home  mechanism 
that  would  enable  a security  kernel  to  maintain  control  over 
accesses  to  I/O  devices.  t’.learly,  unregulated  accena  to  multilevel 
peripheral  storage  devices  by  nut  runted  user  or  suporvtuory  noil  ware 
cannot  bo  permitted. 

A suttlclenl  selutlon  Is  the  notion  of  privileged  I/O,  which 
means  that  1/0  la  performed  only  when  a precena  Is  executing  in  the 
privileged  domain  (l.e.,  the  procosaor  la  operating  In  a privileged 
mode).  Privileged  1/0  la  implemented  by  privileged  l /O 
i iui t met  lens,  will ch  may  be  executed  only  when  the  procoaaor  Is 
operating  In  privileged  mode.  Attempted  oxoouttou  of  a privileged 
Instruction  in  uon-prlvl loged  mode  results  in  an  Illegal  Instruct  ton 
trap  (Internal  interrupt)  t o a handler  In  privileged  mode.  The 
kernel,  whose  software  will  oxecui e In  privileged  mode,  must  perterm 
all  l /0  upon  reipioat  by  user  or  supervisory  software. 
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Another  moans  of  implementing  tho  notion  of  privileged  I/O  tH 
possible.  Whereas  most  machines  employ  6 or  7 hit  bun  addresses 
(scluc.1  codon)  for  1/0  devious,  some  machines  (e.g.,  POP-1 1/ 4S)  have 
bun  architectures  whom  I/O  device  status,  command,  and  data 
registers  am  uddrosaud  Juat  Ilka  nutln  memory.  Fetching  or  storing 
Into  an  1/0  device  register  la  no  different  than  fetching  or  storing 
Into  any  other  main  memory  location.  By  judicious  control  over 
virtual  to  phyalcal  addruaa  tranalation,  ucceaa  to  1/0  duvlco 
registers  cun  be  restricted  to  security  kernel  software. 

Convenient  Features 

Although  privileged  mode  1/0  is  sufficient  to  guarantee 
security  kernel  control  over  1/0  device  accesses,  complete 
coupons ibillty  for  1/0  ts  delegated  to  the  kernel,  Increasing  kernel 
size  and  complexity  at  the  expense  of  verification  effort.  It  would 
be  convenient  If  non-privllegod  usot  or  supervisory  software  could 
perform  some  external  1/0*  under  minimal  kernel  control.  Two 
features  are  Identified  that  contribute  to  this  realization. 

Maimed  I/O  Devices 

An  attractive  approach  is  one,  introduced  earlier,  that 
Includes  1/0  dovlcus  us  purl  of  the  descriptor-based  virtual  memory 
environment,  where  descriptors  are  provided  for  virtual  I/O  devices 
and  tlie  memory  mapping  unit  translates  virtual  device  accesses  Into 
physical  device  accesses.  Consider,  ns  an  example,  a bus 
architecture  like  the  PDP-11  family  of  minicomputers  where  I/O 
device  registers  are  addressed  like  main  memory  and  descriptors  can 
he  included  within  a process'  active  object,  table  that  map  into  the 
control,  status,  and  data  registers  of  1/0  devices.**  A process 
would  generate  n kernel  request  for  access  to  an  I/O 


External  I/O  is  distinguished  from  internal  I/O.  Internal  I/O  is 
swapping  disk  or  drum  I/O  that  tho  kernel  must  perform  for  virtual 
memory  management.  External  I/O  is  what  is  commonly  thought  of  ns 
I/O,  involving  peripheral  storage  media  like  terminals,  tapes, 
cards,  etc. 

** I'h is  Is  more  easily  said  than  accompli  shod,  uh  will  be  evident 
later. 
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device;  tin1  kernel  would  nr  ant  or  retime  l tit*  request  doiuuult  hr  on 
t tin  aecurlty  levela  ot  tliu  proeeuH  and  the  device.  If  the  kuriiol 
granta  tliu  roqueat,  It  outora  a duHorlptor  Into  tho  print  atm'  act  ivu 
object  table. 

Thin  concept  La  acceptable  only  tor  programmed  1/0  duviooH, 
uliutu  ihoHu  devlcea  a to  on  ly  ai’.ouuuud  by  tho  currently  executing 
proce.au  and  data  Lh  traimferrod  directly  between  (typically)  a 01*1) 
register  and  tliu  data  roginter  for  Uin  dovlco.  Illgh-upuud  OMA  t/0 
requlroa  rtomo  additional  control  moclianlam  to  chock  main  memory 
neotumoa  by  tho  I/O  channel,  uiiuus  the  I/O  channel  way  canau  a 
Hucurtty  compromise*  ua  well  an  doutroy  kernel  code,  If  It  doea  not 
follow  1 1 h iuat  met  Iona,  i.o.,  It  roadtt  or  wrttoa  nvtin  me  miry 
Incut  Inna  It  haau't  boon  Inal  i ucUul  to  uccuhh, 

DttA  Main  Memory  Aecuaaoa  Arc  Controlled 

To  fully  aupporv.  the  notion  of  nutpped  1/0  duvlcen  - both 
programmed  and  OMA  duvicua  - all  DMA  device  aco canon  to  main  memory 
imitiL  bo  mapped  Juat  oh  central  proeuunor  ucoohhuh  are.  Now  the 
virtual  memory  mapping  unit  ananmoa  the  role  of  general  nccoua 
controller  tor  the  minicomputer  ayatum. 

A procoau  would  roqueat  ucchob  to  a OMA  device,  Junt  an  uhovo 
tor  a ulow  apwed  devices  the  kernel  would  grant  a descriptor 
permitting  the  procena  to  acceaa  the  device 'a  ntatuH  and  control 
rogUtera.  The  proeeHH  could  then  initialise  a OMA  block  tranHfet* 
uning  pronoun  local  virtual  addrenaeu  and  atari,  the  data  traunfer. 
The  OtlA  device  would  prcHont  virtual  addrennen  which  would  be  mapped 
tutu  phynleal  addrenaen  ualng  the  procenn'  a’tlve  object  table.  Tho 
mapping  unit  would  alao  check  uccuhh  righla.  So  that  OMA  trannfera 
on  hohali  ul  neveral  procotmen  can  occur  concurrent ly , an  virtual 
uddroamiH  are  preaented  from  a OMA  device  the  mapping  unit.  muHt  bo 
capable  of  annoeiatlng  tho  correct  active  object  table  for  the 
proroaa  that  Initiated  tlwil  device. 

A aeiiouH  drawback  to  llila  feature  La  that  high  upend  I/O  1h 
now  performed  Interpret Ively  through  the  kerne l 'a  mapping  unit. 

Some  of  the  throughput  of  the  hlgh-apued  traunfer  la  traded  off  In 
favor  of  lucruaHod  Hecurlly  and  kernel  noftwaro  nlmpllclty. 


*Vhu  ncrttrliy  levela  ot  the  preeoaH  and  device  muni  he  equals  hcncc 
tin1  device  may  be  read  or  written.  A.lao,  I/O  devicen  cannot  he 
alia  rod  among  procuanea. 
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i'kuita'.tion  domains 


T.xcc.utlon  Pom*  1 tin 

Mout  ot  the  machine a anrveyed  are  execution  domain  mnehinoa. 
Several  O'KIMK,  SUOMI’)  art'  concentric  ring  machine*.  The  l’IU*-ll 
family  1m  advertlaud  aa  a throe  domain  machine,  hut  la  very  much 
like  a concentric  ring  machine. 

All  of  the  execution  domain  machine*  provide  a Mingle 
privileged  uupcrviaor  domain  and  one  or  more  equally  unpr 1 vl leged 
uuer  domains.  The  number  of  uaer  domains  la  governed  by  the  number 
ot  aoia  of  addreiiM  mapping  regia  leva  within  the  memory  mapping 
hardware.  Seme  machines  provide  aa  few  aa  one  ael . nthora  aa  many 
aa  eight.  The  more  aoia  provided,  the  greater  the  number  ol 
proeeaaoa  that  ran  be  supported  with  minimal  protean  awlt  thing 
latency.  Proper  memory  management  by  auporvtaor  domain  software  can 
aaaure  the  proteot  Inn  of  uaer  domatna  from  each  olher. 

All  of  the  donut  in  math  1 non  provide  privileged  lent ruet Iona, 
although  a wide  variation  extata  aa  far  aa  what  opera  I Inna  are 
privileged.  Seme  oxampleH  ol  privileged  luatruotlona  are  (hone  that 
perform  I/O.  mantpulale  virtual  memory  nutpplng  vegtatera.  alter/lead 
t he  proeeauor  atatua  reglater  (e.g. , net  the  domain  ol  exeunt  Ion), 
and  euahle/dlaahle/maak  Interrupt  a.  Ourreapendlngly . aoftware  that 
does  I/O,  manage a the  virtual  memory  environment  (tneludlug  the 
handling  of  page  or  augment  faulta  and  aeeeaa  violations),  managOH 
proooHMoa,  and  handlea  tnlorrnpta  - all  funetlonN  that  a aeeurlly 
kernel  imiat  assume  responsibility  ter  - meat  run  in  aupervtaor 
dome  t u. 

Another  term  ol  privilege  exhibited  hy  cxecut  Ion  domain 
machines  la  a eapahlltty  for  aupervlaor  domain  to  operate  in  an 
unmapped  mode,  whereby  effective  program  addreaaea  are  treated  not 
aa  virtual  addreaaea  but  rather  aa  unmapped  phyaleat  tuldreHaea. 
Typically  aeeeaa  cheek  tug  uan  alao  he  dtaabled  within  Huporvianv 
domain.  Theae  two  tart  lit  lea  van  be  uaod  to  give  supervisor  domain 
aettware  unreattlcted  aeeeaa  to  a block  (uaually  tlie  Hrat  2**lh 
memory  local  Iona)  ot  main  memory.  A a.vurtty  kernel  running  In 
auporvtaor  domain  would  rouorvo  thin  memory  block  tor  tta  own 
aettware  and  data  baaea,  denying  unpr l vi leged  uaer  aettware  aeeeaa 
to  the  area  by  properly  managing  the  memory  mapping  Intovmat  leu. 

The  I’ll T—  1 1 three  domain  architecture,  aa  Implemented  by  the 
memory  management  unit  (MMll)  option,  eloaely  approaches  the 
eoncenlric  ring  concept . In  order  of  deereitaing  privilege,  the 
throe  domatna  are}  kernel,  aupervlaoi , and  uaer.  Ahmoc l at od  w l th 
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ouch  donut tn  la  a act  of  memory  mapping  registers.  A PDP-11  process 
consists  ot  u kernel  nddruaa  apace,  a supervisor  address  apace,  and 
u uaur  addruaa  apace.  When  a PDP-11  proceaa  ia  executing  In  kernel 
domain,  all  thruu  addreaa  spucos  are  accessible;  when  the  procoaa  ia 
executing  in  auporviuor  domain,  both  uuporvieor  and  uaer  spaces  are 
acccualble;  and  when  in  ueor  domain,  only  uaur  apuco  la  accessible. 
Clearly,  only  kernel  software  would  operate  In  kurnul  domain.  On 
the  PDP-11/45  a security  keruol  can  be  distributed  among  user 
processes. 

Concentric  Rinas 

Three  of  t hu  machines  evaluated,  PRIME'S  400  and  500  and 
Honeywell's  SCOMP,  are  concentric  ring  machines. 

The  PRIME  machines  provide  1 rings  while  thu  SCOMP  provides 
lour,*  Conceptually,  the  rings  are  arranged  concentrically,  with 
ring  0 toner moat,  moat  privllugud,  and  most  protected,  and  rings  1, 
2,  etc,,  peripheral  to  ring  0 and  of  decreasing  privilege  and 
protect  ton.  The  processor  stutuu  word  lucludus  a field  tlmt  dufinua 
l he  current  rtng  of  execution.  As  described  earlier,  a process' 
active  program  and  data  files  are  assigned  to  specific  ringH.  ThlH 
assignment  of  a process'  actlvu  objects  to  specific  rlnga  is 
oi footed  by  rtng  bracket  information  stored  within  the  descriptor 
for  each  object.  Oune rally  there  are  several  brackets  within  each 
descriptor  that  define  the  rings  of  execution  from  which  the  object 
may  be  read,  written,  and  executed,  Per  example,  the  SCOMP  has 
three  brackets,  Ri,  K2,  and  R3,  that  are  used  in  the  following 
manner.  A SCOMP  process  may  write  an  object  provided  it  huH  been 
granted  write  access  to  the  object  and  its  current  ring  of  execution 
Is  between  0 and  (Including)  Rls  the  process  may  read  an  object 
provided  tl  has  read  access  and  its  current  ring  of  execution  Is 
between  0 and  R2;  the  process  may  execute  an  object  provided  it  has 
execute  access  and  its  current  ring  of  execution  1#  butwoen  Rl  and 
R2  (and  note  that  thu  ring  of  execution  will  net  change);  and 
finally,  the  process  may  call  (with  a special  Instruction)  and 
execute  an  object,  with  a resulting  change  in  the  current  ring  of 
execution  to  a lower  ring  (an  Inward  ring  call),  provided  the 
process  has  execute  access  and  ita  current  ring  of  execution  is 
between  R2  and  R3  (R3  must  bo  greater  than  R2  within  the  object's 
descriptor).  As  should  be  evident,  a process'  access  capabilities 


*Note  that  SCOMP  rings  0 and  l aru  identical,  effectively  providing 
lust  3 rings. 
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to  objoctH  within  1 1 h address  space  t»uul  to  increase  a*  the  process' 
current  ring  of  exccul Ion  dccrcaac*  or  move*  Inward.  Mho,  some 
instruction*  can  be  defined  as  privileged  to  proceesv*  operating 
within  ring  0 and,  possibly,  ring  l. 

Within  a concentric  ring  architecture  like  the  SCOMP,  object* 
ntu  Implicitly  assigned  to  * ring  or  *et  of  ring*  through  the 
asalgnment  of  ring  bracket  value*  within  descriptor*  for  the  object • 
For  example,  HHHumtng  a kernel  that  will  run  in  ring  0,  read  and 
write  accent*  to  a kernel  data  object  can  bn  reetrlcted  to  kernel 
procedure*  by  the  assignments  HI  • 0 and  R2  ■ 0 for  the  object 'a 
dnacrlptor.  A kernel  procedure  object  can  he  included  within  the 
nddrettH  apace  of  a user  procee*  with  the  assignment  of  ring  bracket 
valuea  ua  follow*!  Hi  • 0,  R2  ■ 0,  and  RJ  ■ 3.  Thin  mean*  that  the 
user  process,  when  executing  in  ring*  l,  2,  or  J,  may  call  the 
kernel  procedure  using  the  special  call  instruction,  resulting  in  a 
change  of  the  current  ring  of  execution  to  ring  0.  The  kernel 
procedure  ami  data  object*  above  are  both  aaaigned  to  ring  0, 

Kxawnt lal  Hardware  Feature* 

Two  hierarchically  Structured  Domain*  or  Rini.a 

It  1*  minimally  eaxentlal  that  a machine  provtde  two  domainH 
where  one  domain  1*  privileged  and  protected  front  the  other* 

Security  kernel  software  would  run  within  the  privileged  domain,  and 
untrusted  inter  software  would  execute  within  the  unprivileged 
domain.  All  of  the  machines  surveyed  meet  this  essential 
requirement . 

Control  led  Tran* ter  into  Privileged  Domain 

Trnnntcr  of  execution  into  tha  privileged  domain  must  certainly 
ho  controlled.  Clearly,  transfer  to  arbitrary  points  within  a 
security  kernel  running  on  privileged  domain  cannot  he  allowed. 

All  ot  the  machine*  surveyed  meet  this  essential  requirement. 

In  general,  traunfur  Into  privileged  domain  occurs  as  the  result  of 
external  and  Internal  Interrupt*. 

External  interrupts  are  controlled  signal*  generated  by  1/0 
devices  (t.c.,  external  to  the  central  proce  <ing  element)}  internal 
Interrupt*  are  unexpected  signal*  generated  by  hardware  condition* 
or  programming  violation*  (l.e.  , typically  within  the  central 
processing  element),  I'xample*  of  Internal  interrupt*  are  memory 
management  and  protection  fault*  and  illegal  instruction  trap*. 
Kxternal  interrupt*  caune  a transfer  to  a predefined  entry  point. 
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dependent  upon  the  Interrupting  device,  which  holds  the  locution, 
generally  within  thu  privileged  domain,  of  n software  handler  for 
the  device.  Memory  management  faults  (o.g.,  addressed  object  not  In 
core,  memory  protection  fault)  also  cuuue  automatic  transfer  to 
predefined  locations  In  privileged  domain  space.  Attempted 
execution  of  privileged  or  undefined  instructions  within  an 
unprivileged  domain  uluo  results  in  automatic  transfer  into 
privileged  domain,  tin  thu  execution  domain  machines,  one  such 
instruction  is  a supervisor  call  instruction  which  is  used  within 
unprivileged  domain  to  request  supervisory  services  from  privileged 
domuin  software.  As  might  be  uxpcctcd,  ring  architectures  have  a 
more  sophisticated  means  of  domain  transfer,  which  is  discussed 
shortly. 

Convenient  hardware  features 


Three  or  More  Domains  or  Hinas 

Just  having  two  domains  is  a constraint  for  providing  protected 
supervisory  services.  Fundamental  to  kernel  technology,  due  to  the 
requirements  for  verification,  is  the  need  to  minimize  the  amount  of 
security  sensitive  software  that  must  run  in  privileged  domain. 

This  consideration  precludes  the  inclusion  of  supervisory  services 
within  kernel  software  and,  within  a two-domain  machine,  means  that 
supervisory  software  must  run  in  the  same  domain  as  and  unprotected 
from  user  soltwure.  At  lunat  three  domains  are  more  convenient,  so 
that  a separate  domain  tor  supervisory  software  is  provided. 

Ulorachioally  Structured  Domains /Rinas 

If  three  domains /rings  are  provided,  It  would  be  convenient  if 
they  were  arranged  in  a hieruchical  order  of  privilege  and 
protection,  so  thut  a domain  intermediate  In  privilege  and 
protection  is  available  for  supervisory  software.  On  most  3+ 
execution  domain  machines  there  are  really  only  two  levels  of 
privilege,  and  a supervisor  would  be  delegated  to  run  in  ore  of  the 
unprivileged  user  domains.  Although  such  a supervisor  can  be 
protected  from  software  running  in  other  user  domains,  a separate 
supervisor  domain  thut  is  more  privileged  than  user  domain  is  more 
desirable.  The  PDP-ll/Ab  and  11/70  provide  a supervisor  domain 
intermediate  to  an  unprivileged  user  domain  und  a privileged  kernel 
domain.  On  ring  machines,  the  protection  rings  are  ordered  in  terras 
of  privilege  and  protection;  a supervisor  would  run  in  ring  1, 
protected  from,  and  more  privileged  than,  supervisory  and  user 
software  running  In  higher  rings. 
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Mu  It  lulu  l’rlviluged  Domain /King  Kntry  Points 


It  would  bo  convenient  l(  tho  trap  instructions  for  user- 
sof twaro-lnttiatud  transfer  into  the  privileged  domain/ring  provided 
more  than  a single  entry  point • With  just  one  entry  point,  a kernel 
would  have  to  retrieve  Additional  information  from  user  software  to 
dotormlno  the  particular  kernel  function  requested!  the  kernel  must 
than  transfer  to  the  function's  real  entry  point.  Multiple 
hardware-supported  entry  points  would  eliminate  the  overhead  of 
determining  the  real  entry  point. 

Most  of  the  domain  machines  support  only  a single  entry  point, 
Tho  ring  machines  provide  a much  more  flexible  mechanism  for  ring 
transfers.  Recall  that,  a transfer  of  execution  Into  an  inner  ring 
can  occur  only  by  the  invocation  of  a special  procedure  object  (In 
tUIOtU*,  Hi  > H 2 > using  a special  procedure  call  instruction,  The 
special  procedure  object  is  called  a "gate"  segment  because  a act  of 
specific  entry  points  are  defined  at  segment  creation.  The  address 
translation  hardware  will  insure  that,  on  an  inward  ring  transfer  to 
a gale  segment,  the  effective  transfer  address  Is  a legal  entry 
point  within  the  gate  segment.  Kernel  gate  procedures  can  be 
del  mod  with  several  hardware-monitored  entry  points  so  that 
transfer  into  the  kernel  Is  tightly  and  completely  controlled. 

Argument  Validation 

When  kernel  functions  are  invoked,  non-kernel  software  must 
otton  provide  pointers  for  the  passing  of  arguments  or  the  return  of 
results,  These  pointers  must  bo  validated;  In  other  words,  the 
kernel  must  determine  that  the  user  process  really  has  access  to  the 
locations  provided  as  pointers.  For  example,  consider  a user 
request  tor  the  kernel  to  Input  a block  of  information  from  an  1/0 
device  into  an  area  within  tho  user's  virtual  address  space.  The 
kernel  must,  verify  that  the  user  process  has  write  access  to  that 
area.  Any  hardware  features  that  would  minimise  kernel  software 
overhead  for  argument  validation  would  be  convenient. 

On  execution  domain  machines,  s kernel  Nhould  be  permitted  to 
use  user  donut  in  mapping  registers  for  address  translation  In 
fetching  operands  or  storing  results.  Further,  the  kernel  must  be 
able  to  tolerate  argument  validation  access  faults;  l.e,,  such 
access  faults  should  sot  a flag  or  condition  code  accessible  to  the 
kernel,  but  should  not  generate  an  internal  interrupt. 

Argument  validation  Ih  somewhat  more  complex  in  a ring  machine 
because  ot  the  possibility  of  indirect  addressing  through  different 
virtual  memory  objects  In  the  course  of  effective  operand  address 
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generation.  Tim l is,  tho  processor  may  make  > tw  v>r  morn  memory 
votoronooH  to  different  objects  to  letch  Indirect  addresses  before 
tlto  operand  is  actually  fetched.  t ml  t foot  address  totoh  is  subject 

to  the  we mu  eocene  control  and  address  translation  as  a simple  read 
accuse  to  date.  For  example,  it  an  indirect  addruee  ie  fetched  Crow 
an  object  that  can  be  written  from  a higher  ring  than  tho  current 
ring  of  uxucution,  tho  ultimate  location  referenced  by  thu  indirect 
addruee  muet  be  govurnod  by  accuee  coutrole  defined  by  the  ring  in 
which  the  object  containing  the  Indirect  address  rueldue,  rather 
than  the  current  ring  of  execution.  That  is,  the  addruee 
tranelution  and  accuee  checking  hardware  ehould  validate  indirect 
refuruncee  with  respect  to  the  ring  to  which  the  object  containing 
the  indirect  addruee  hae  been  aeeignud.  Thu  SUOMI*,  for  example, 
accomplishes  title  by  maintaining  a rugieter  Huff,  called  thu 
effective  ring,  that  1h  thu  maximum  (inclusive  Ok)  of  the  kl  (write) 
ring  bracket  values  in  all  duecriptore  encountered  during  effective 
addruee  gunurutiou.  Huff  ie  initialised  to  thu  current  ring  of 
execution  at  thu  buginning  oi  each  inetruction  cycle  and  its  value, 
aw  updated,  ie  need  ae  thu  off  active  ring  of  execution  during  all 
accuee  chocks  for  thu  duration  of  tho  cycle  . 

dunnort  for  Stacks 

Mom t of  the  machinee  Hurvcyed  provide  some  hardware  eupport  for 
the  notion  of  etacke.  Stacks  facilltato  the  implementation  of 
eharud,  reentrant.,  and  recure ivc  procoduree,  and  they  providu  an 
efficient  mu  chan  ie  in  for  subroutine  parameter  pausing  and  the  return 
of  rouulte.  Clearly,  eoparatu  etacke  ntuet  be  nutintalned  for  tho 
different  domalua/riuge  in  which  a procuee  nmy  execute.  It  would  be 
convoniont  it'  some  hardware  eupport  were  provided  for  the 
establishment  of  appropriate  etacke  upon  tntordomaln/inturr ing 
trauefere,  and  thu  reestablishment  of  old  etacke  upon  return, 
Otherwise  most  of  this  et.ack  management  muet  be  performed  in 
Hof  twuru. 


I'HuCliSS  CONTROL 

Input/output  control  and  storage  control  (virtual  memory 
management)  are  two  major  actlvltluH  of  a security  kernel.  A third 
is  the  management  and  control  of  processes,  the  Implementation  of 
the  mathematical  model's  subject  abstraction. 
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Essential  Hardware  Features 


Multiple  Processes 

If  many  users  arc  to  share  concurrently  the  available  reaourcee 
of  a general  purpoee  computer  system,  the  beea  computer  architecture 
must  provide  eupport  for  an  efficient  multiple  proceed  structure. 

The  minimal  hardware  eupport  neceeeary  la  the  capability  to  save  and 
roatore  process  definition  information.  Recall  that  a procaas  is 
definud  as  an  address  space  and  a state  (or  context).  The  state  of 
a process  in  execution  is  ambodiad  by  the  current  values  of  certain 
central  processor  registers,  e.g.,  processor  status  (current  domain, 
interrupt  priority  level,  condition  codes),  stack  pointers,  program 
counters,  general  purpose  and  floating  point  registers.  Within  a 
virtual  or  mapped  memory  environment,  the  address  space  of  a procesa 
is  embodied  by  a set  of  addraaa  translation  registers.  To  eupport 
multiple  processes,  a computer  architecture  must  provide  a means  of 
saving  and  restoring  the  various  hardware  registers  that  define  the 
state  and  address  space  of  a process  in  execution. 

Convenient  Hurdwaro  Features 

An  Efficient  Process  Switch 

Experience  gained  in  the  design  of  s multilevel  secure 
application  software  system  - a secure,  interactive  military  message 
service  designed  to  operate  on  a kernel-baaed  secure  operating 
syatam  - hae  Indicated  that  feet  and  sfficisnt  process  switching 
may  be  critical  to  psrformanca.  The  constraint  on  object 
modification  imposed  by  *-proporty  enforcement  requires  multiple 
processes  (at  various  classification  levols)  operating  on  behalf  of 
each  message  service  user.  Response  time  and  overall  system 
performance  are  critical  factors  governing  user  acceptance  of  a 
multilevel,  uecuro,  interactive  military  message  service,  and  fust 
process  switching  contributes  to  better  response  and  performance. 

Any  hardware  support  for  minimizing  the  time  required  to  save 
and  reatoru  process  definition  information  is  clearly  convenient. 

For  example,  a single  instruction  to  save/roBtore  process  statu 
registers  as  « block  is  helpful,  rather  than  repetitive  instruction 
execution  to  save/restore  a single  register  at  e time.  On  execution 
domain  machines,  a single  instruction  to  ssve/restore  a set  of 
address  translation  registers  at  a time  is  also  desirable.  Another 
factor  on  execution  domain  machines  is  the  number  of  sets  of  addresB 
translated  registers  (i.e«,  the  number  of  user  domains)  provided  by 
the  memory  mapping  hardware.  Some  provide  as  few  as  one,  others  as 
many  as  8 or  16.  The  more  provided,  the  greater  tho  probability 
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tnat  a process  switch  will  not  require  the  swapping  of  a set  of 
mapping  registers.  Ring  machines  do  not  have  sots  of  mapping 
registers.  Rather,  segment  descriptor  tables  are  kept  in  main 
memory  and  descriptors  are  fetched  during  address  translation."  To 
save/rostoru  procuss  address  space  information  on  a process  switch, 
only  a single  register  that  pointa  to  thB  process’  descriptor  table 
in  memory  must  be  saved/reetored. 

Support  for  Interprocess  Communication 

Interprocess  signalling  and  communication  are  essential 
activities  within  u computer  eyatom  supporting  multiple  processes. 
These  activities  are  integral  to  the  scheduling,  dispatching,  and 
overall  coordination  of  processes.  On  most  machines,  these 
functions  are  handled  solely  in  software.  Surely,  any  hardware 
support  in  this  area  is  desirable  in  that  a more  efficient  IPC 
muchunism  contributes  to  more  efficient  management  of  multiple 
processes. 

Summary 

A tabular  summary  of  the  essential  and  convenient  hardware 
features  is  presented  below  in  Table  1.  This  summary  serves  as  an 
evaluation  criteria  checklist  and  will  bo  used  in  the  next  Boction 
to  summarise  the  evaluation  of  each  machine. 


*To  speed  address  translation,  i.e.,  to  minimise  the  frequency  of 
descriptor  fetches  from  main  memory,  the  ring  machines  provide  a 
high-speed,  associative  cache  memory  in  which  current  (most  active) 
descriptors  tire  stored. 
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Table  1-  Evaluation  Criteria  S 
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SECTION  III 


THE  EVALUATIONS 


In  thin  section  the  minicomputers  are  evaluated.  Again,  the 
muchines  evaluated  are  those  within  a vendor's  product  line  Intended 
for  use  as  general-purpose  computational  utilities.  Typically,  the 
machine#  chosen  are  those  that  can  bo  configured  with  optional 
memory  mapping  units.  There  may  be  Beveral  such  machines  within  a 
vendor's  line,  and  in  these  cases  the  accompanying  evaluation 
attempts  to  cover  all  of  them. 

Each  evaluation  first  discusses  the  machine's  support  in' each 
of  the  four  functional  areas!  Virtual  Memory.  I/O  Access  Control. 
Execution  Domains,  and  Process  Control.  Then,  the  machine  is 
assigned  a rating  on  its  support  for  the  various  essential  and 
convenient  features.  The  rating  is  assigned  aB  follows! 


POOR  (-) 

The  machine  supports  the  feature  not  at  all 
or  very  poorly. 

GOOD  (+) 

The  machine  aupporta  the  feature  to  Borne 
extent,  but  not  completely. 

EXCELLENT 

(*)  The  machine  provides  complete  support  for 
the  feature. 

‘.4 

MODCOMP  IV/ 35 

Modular  Computer  Systems.  Inc..  Ft.  Lauderdale.  Florida,  offors 
three  families  of  compatible  minicomputer  systems!  MODCOMP  I, 
MODCOMP  11,  and  MODCOMP  IV,  The  MODCOMP  IV  family,  which  consists 
of  one  model,  the  IV/ 35,  is  the  only  one  that  supporte  a memory 
management  subsystem  and  is  therefore  the  only  one  evaluated*  The 
IV/ 35  is  described  [19]  as  a medium-to-large , multiprogratnmable,  32- 
bit  parallel,  general  purpose  digital  computer,  specifically 
designed  to  be  the  host  machine  in  real  time,  communication,  and 
information  processing  computer  networks. 

Virtual  Memory 

The  MODCOMP  LV/35  includes  a memory  management  system  that 
provides  a paged  mapped  memory  organization.  Memory  pages  are  each 
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M hy  t eu  In  lungili.  Mu  I ii  memory  Ih  expandable  In  12K  byte 
literomoiita  from  !2K  by  tea  up  to  512K  by  tout 

There  aiu  eight  KAM-lmp fomented  Address  Mapping  Files  (AMFs)  - 
numbered  0 through  1 - tor  use  In  virtual  address  trana  lntlon.  Much 
AML1'  virtual  map  may  address  up  to  25b  pages,  ho  a par  process 
iitlilrimn  space  of  64K  words  is  provided*  Program  virtual  addresses 
arc  lb  bltsi  H hits  select  a page  within  the  proeoaa'  AMP  tuul  H 
blln  mu. I act  a word  within  the  page* 

A process  enn  have  null,  road,  road-execute,  or  road -write- 
uxocuto  nccuriH  to  pages  In  Its  virtual  address  space.  in  addition) 
thorn  urn  two  map  select  registers  that  permit  either  one  or  two 
maps  to  be  used  concurrently  for  Instruct tuna  mid  operands J 
Lhurufore  program  and  data  files  can  bn  mapped  separately • providing 
execute-only  and  road-only  uoouss. 

Uutoriuu'od  and  Modified  flags  are  not  supported,  although  tlio 
2, IMP,  ZOMP,  AMKN,  DMKM  privileged  Instructions  are  convenient 
loatuteu  for  memory  management,  SIMP  and  20MP  ure  uaud  to  clear 
h 1 oi'kn  of  cont tgiioua  rcgintera  within  instruction  and  operand  Alll's, 
roupoe.tl.voly  i /IMP  and  ZOMP  provide  a flexible  and  of f i dent 
mo  oil  a o.l  a m for  Horning  part  of  an  AMF  for  pr  ocean  oa  that  do  not  uuo 
the  whole  virtual  address  apace.  AMKN  and  DMFN  provide  soml- 
nutomatle  allocation  and  deuUooat  Ion  of  physical  momory  page  a* 

1 /D  AeceuH  Control 

The  MODOOtlP  iV/.lb  tncliidoM  a Primary  Input  /Output  Processor 
IPIOP)  ih.it  may  provide  belli  low-speed  and  hlgh-upeed  I/O 
copal) lilt  leu • 

Am  a Mtaiuliud  feature,  the  PIOP  pcrtornui  program  cent: rolled 
byte  or  word  data  tr  ana  I'  era  between  general  purpose  CPU  reglateru 
and  device  legist,  r«  of  up  to  04  peripheral  devicoa  da  l ay-e.ha  I nod  on 
a lft-b.lt  wide  party-!  Inn  t/o  bun.  Privileged  I/O  inatruct  Iona  aro 
provided  for  tranufertug  data,  commands,  and  device  atutuu  codea  to 
and  from  each  device.  Low-speed  devices  are  not  addreaaod  like  main 
memory,  but  rather  are  nnntgued  ho  led  codea  (numbera  from  0 to  t>2  - 
on  the  I/O  bua). 

Ah  an  optional  feature,  the  PIOP  may  support  a hired  Memory 
ProeeriHor  (OIIP)  'or  high  upeod  data  t t ana  l ei  with  DMA  devlcea 
Inlet  laced  lo  the  ulandard  I/O  bua.  The  optional  DMP  provlden  1ft 
multiplexed,  block  trauHter  rliaunola  connected  to  memory  through  a 
neparale  memory  port  . A pri  vileged  1/0  toatruet  inn  (OMPI ) Ih  lined 
to  iulllallHC  the  DMP  lor  each  block  transfer.  A limited  meaaut'e  of 
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DMA  device  control  - in  the  form  of  virtual  to  physical  address 
translation  - ia  provided  by  the  DMP.  The  DPI  instruction  takes  as 
a parameter  the  address  of  an  AMF  immagu  stored  In  main  memory* 

When  in  operation)  a DMP  channel  uees  the  map  image  to  check  access 
to  main  memory.  At  initialisation)  the  DMP  channel  ie  also  given  a 
virtual  address  that  is  the  starting  location  for  the  block  transfer 
and  a word  count*  The  block  to  bs  transferred  may  be  considerably 
larger  than  a memory  page*  The  DMP  channel  does  not  verify  access 
rights  on  each  word  access;  rather)  access  checking  and  virtual 
address  translation  is  performed  only  when  a virtual  page  boundary 
is  crossed*  It  is  the  responsibility  of  the  operating  system  not  to 
change  any  of  the  pages  while  the  DMP  la  operating  on  them* 

Execution  Domains 

The  MODCOMP  IV/ 35  offers  but  two  hierachicully  structured 
execution  domains:  privileged  and  UBer*  Eight  mapped  user  domains 
are  provided  by  the  8 hardware  A11FS;  all  8 user  domains  are  equally 
unprivileged*  Transfer  to  the  privileged  domain  can  be  initiated 
from  each  user  domain  via  the  Request  Executive  Service  (REX) 
unprivileged  instruction.  REX  ia  inflexible,  trapping  via  an 
Unimplemented  Instruction  Interrupt  signal  to  a single  entry  point 
defined  by  un  interrupt  vector  in  low  memory* 

The  privileged  domain  is  characterised  by  the  ability  to 
execute  privileged  instructions.  Some  of  the  privileged  functions 
provided  are: 

1.  Enter  virtual  adruaaing  mode;  when  off,  the  CPU  addresses 
mnin  memory  directly. 

2.  Mon.' tor  and  control  the  priority  interrupt  system. 

3.  Execute  program-controlled  I/O  instructions  and  initialise 
DMP  1/0  channels. 

4.  Move  instruction  and  operand  map  images  between  AMFs  and 
main  memory. 

Argument  tranafer  between  a user  domain  and  the  privileged 
domain  1b  accomplished  by  the  select  operand  map  (SOOM)  privileged 
instruction)  which  permits  privileged  software  to  use  another  AMF 
temporarily  for  operand  fetches /stores . Access  violations  do  not 
generate  a memory  protection  fault  and  are  effectively  null 
operations.  Privileged  software  can  therefore  not  detect  the 
occurrence  of  the  access  violation* 
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Two  privileged  inst ructions , Load  Register  from  Memory  (LDVM) 
and  Store  Rogtatur  from  Memory  (STVM)  provide  an  additional  measure 
ol'  data  transfer  and  a reasonable  amount  of  argument  validation* 
'i'husu  instructions  permit  the  movement  of  a data  word  between  a 
general  purpose  rugistor  and  the  virtual  addreaa  space  defined  by  an 
AMF  roup  image  in  main  memory*  Theae  are  useful  for  transferring 
oporundu  to/from  the  virtual  addreaa  space  of  a process  that  is 
suspended  and  does  not  have  its  map  imago  loaded  within  an  AMF 
(e*g.*  interrupt  driven  I/O  handlers)*  The  load  or  store  is 
permitted  only  if  read-writu-execute  access  rights  are  allowed  to 
the  process  for  thu  virtual  page  accused;  otherwise,  the  load  or 
store  is  not  permitted  and  the  carry  condition  code  is  set*  It 
would  bo  much  more  helpful  if  a load  was  permitted  provided  road  or 
read-execute  access  rights  were  present, 

Process  Control 


Thu  MODCOUP  I V/ 3 f>  cun  accommodate  7 user  processes  directly 
using  Huven  of  thu  uight  AtlFs  - assuming  onu  map  la  rusurved  for  tho 
supervisor.  Considering  a system  supporting  7 users  or  less, 
process  switching  cun  be  quite  fast,  Involving  Juat  a switch  of  a 
32-bit  program  status  doublaward  (PSD).  The  PSD  contains  such 
context  as i 

o program  counter 

o current  selected  Instruction  and  operand  AMF 
o intugor  overflow  history 
o condition  codes 
o privilege  state 

o current  selected  general  purpose  register  set 

There  uru  lb  general  purpose  register  sets  implemented  in 
£ ironware . Hence,  considering  a system  with  lb  users  or  less, 
process  switching  can  bo  limited  to  tho  time  it  takes  to  load  an  AMF 
with  a map  image  from  main  memory  using  tho  LUMP  or  LDMP  privileged 
Instruction.  Thuse  instructions  consume  approximately  1 microsecond 
per  map  untry,  with  a maximum  of  25b  microseconds  tor  s full  map* 
With  more  than  lb  users,  process  switching  may  require  the  loading 
of  both  an  AUF  and  one  of  tho  lb  general  purpose  register  sets  from 
nut  in  memory*  The  latter  occurs  via  the  MRBM  and  MMKB  privileged 
instructions*  It  takes  b microseconds  to  load  a register  sot  and  20 
microseconds  to  both  store  and  loud* 
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There  1b  no  hardware  support  for  interprocess  communication. 
Summary 

Table  2 summarizes  the  evaluation  of  the  MODCOMP  IV/33.  The 
MODCOMP  IV /3b  satisfies  all  of  the  essential  hardware  features* 
Thors  is  additional  support  for  some  of  the  more  important 
convenient  features  - specific  access  rights , more  then  two 
execution  domains,  and  argument  validation  - and  the  MOUCOMP  IV/35 
is  Judged  a fair  to  good  candidate  for  a security  kernel 
implementation. 


PRIME 


PRIME  Computer,  Inc.,  Framingham,  Massachusetts,  offers  a 
family  of  plug-computible  central  procoasorai  PRIME  100,  200,  300, 
400,  and  500*  PRIME  machines  are  finding  application  in  the  areas 
of  data  communications,  on-line  data  acquisition  and  control, 
transaction-based  information  processing  systems,  and  multi-user 
computational  utilities.  The  larger,  more  powerful  PRIME  400  and 
PRIME  500  aru  the  machines  of  interest  here.  Both  support  sb  a 
standard  feature  a aegmunted-paged  virtual  memory  system  and  are 
designed  for  use  as  integrated  interactive,  queued-job,  and  real 
time  systems. 

Virtual  Memory 

The  PRIME  400/500  provide  a segmented-paged  virtual  memory 
organization.  Page  size  is  1,024  words.  Segment  Bizc  may  range 
from  0 to  65,536  words  in  increments  of  1,024  words  - 0 to  64  pages. 
Unpaged  segments  are  not  permitted.  Physical  main  memory  is 
expandable  up  to  8 M bytes  in  64K  byte  modules. 

The  par  process  virtual  addreBB  space  is  512  M bytes, 
consisting  of  4,096  segments.  Thus,  a process's  active  object 
(segment)  table  may  contain  4,096  segment  descriptors.  Actually, 
each  active  segment  table  consists  of  four  groups  of  1,024  segments 
uach.  When  u procoBs  is  executing,  four  descriptor  table  address 
registers  (OTARs)  point  to  the  main  memory  locations  of  the  four 
groups  of  segment  descriptors. 

Access  rights  apply  on  a segment  basis;  they  can  be  selected 
from  among  none,  read,  read-execute,  road-write-execute,  and  gate. 

Segment  referenced  and  modified  flags  are  hardware  maintained 
for  each  page  of  a segment  within  the  page  map  for  each  segment. 
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I/O  Access  Control 


ML  I/O  instructions  are  privileged  instructions  on  the  PRIME 
400/500. 

There  is  alao  aome  hardware  support  for  control  of  DMA  devices. 
The  mapped  I/O  feature  permits  a DMA  device  to  access  the  entire 
physical  memory  (as  large  as  8 M bytes)  although  the  I/O  bus  has 
only  an  18>bit  address  width  - for  compatibility  with  PRIME  100, 

200,  and  300  processors.  All  virtual  DMA  addresses  are  translated 
into  physical  addresses  using  the  page  table  for  segment  0.  For 
uxamplo,  if  a DllA  device  is  to  read  from  main  memory,  a page  table 
is  constructed  and  pointed  to  by  a segment  descriptor  that  occupies 
the  first  entry  of  the  group  of  segment  descriptors  pointed  to  by 
DTAK0.  The  sogmunt  0 descriptor  will  permit  only  road  accesses  to 
thoeu  puguu  defined  by  the  page  table,  ttunco,  a block  at  large  as 
64  h bytus  may  bo  transferred  under  the  PRIME  400/500's  mapped  1/0. 

1 1!  a security  hemal  wuru  implemented,  tho  kernel  must  maintain  the 
nucossary  virtual-tu-physicul  correspondences  in  effect  for  tho 
duration  of  the  DMA  transfer. 

Execution  Domains 

The  PRIME  4U0/500  supports  a concentric  ring  protection 
mechanism.  The  throe  rings  - numbered  0,  1,  and  3 - are 
hierarchically  ordered.  Ring  0 is  the  most  privileged.  A process 
operating  in  ring  0 may  execute  privileged  instructions  and  has 
ruud-wrltti-oxecute  access  to  all  segments  in  the  system.  Some  of 
the  functions  provided  by  privileged  instructions  aroi 

1.  loading  the  processor  status  register; 

2.  hardware  support  for  Dijkatra's  P and  V semaphores  in  the 
form  of  notify  and  wait  instructions;  these  instructions 
complement  the  PRIME  400/500'b  extonsive  hardware  support  for 
process  switching; 

3.  input/output  and  priority  interrupt  control;  and 

4.  modification  of  processor  modes  which,  among  other  things, 
permitB  virtual  address  translation  to  be  turned  on  and 
off. 

Each  segment  descriptor  includes  two  fields  that  define  access 
rights  to  the  segment.  One  field  is  set  to  define  permitted  access 
to  the  segment  from  procedures  executing  in  ring  1,  while  the  other 
defines  permitted  access  from  ring  3.  In  effect,  then,  a data 
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augment  is  asaignud  to  ring  0 exclusively  by  Butting  null  access  in 

the  ring  1 and  ring  3 fields  of  ita  descriptor)  aa  a variation,  read 
access  could  ba  specified  In  the  ring  1 field,  permitting  ring  1 
procedures  to  read  the  data  segment • A procedure  segment  Is 
assigned  to  ring  0 by  setting,  say,  gate  access  in  the  ring  1 fisld 
and  null  accaaa  in  the  ring  3 field.  Such  a aattlng  permit*  the 
procedure  segment  to  bs  entered  only  from  ring  1 via  specific  entry 
pointe  defined  within  the  ring  0 procedure. 

King  crossing  la  vary  flexible  and  occurs  by  means  of  the 
Procadure  Call  instruction  (PCL).  The  PCL  instruction! 

1.  computes  the  ring  number  of  the  celled  procedure) 

2.  allocates  a stack  frame  for  the  called  procedure) 

3.  saves  tha  cellar's  critical  state  information  in  the  new 
stack  fractal 

4.  loads  tho  critical  state  for  tho  called  procedure)  and 

3.  evaluates  tho  caller's  argument  pointers,  storing  a list 
of  final  effective  addresses  in  the  new  stack  frame. 

PCL.  addresses  an  entry  control  block  (ECB)  within  tha  procedure 
being  celled.  The  ECB  contains  the  critical  state  information  for 
tho  called  procadure,  such  ee  e pointer  (ring  number,  segment, 
offset)  to  the  first  executable  inetruction,  the  stack  frame  else  to 
be  allocated,  the  number  of  arguments  expocted  and  where  in  the  new 
stack  frame  to  put  them,  and  central  processor  inodes  to  be  set. 

The  ring  number  of  the  called  procedure  depends  upon  the 
caller's  access  privileges  to  the  segment  containing  the  entry 
control  block.  No  ring  change  occurs  if  the  caller  hae  read  access. 
If  the  caller  has  gate  access,  the  ring  of  execution  is  taken  from 
the  ECB  pointer  to  tho  first  executable  inetruction. 

Following  the  PCL  instruction  in  the  calling  procedure  is  a 
list  of  argument  transfer  templates  which  define  the  argument  list. 
During  execution  of  the  PCL  instruction,  the  list  of  templates  is 
evaluated  to  generate  o llet  of  actual  arguments  (or  pointers)  in 
the  new  stack  frame.  Ae  part  of  the  evaluation,  argument  validation 
is  performed.  The  called  and  calling  ring  numbers  are  ORed  and  the 
resulting  "wtakened"  ring  number  is  inserted  into  each  argument  (or 
pointer)  transferred  into  the  new  stack  frame.  When  the  called 
procedure  is  running  end  refsrencea  a memory  location  pointed  to  by 
an  argument,  it  is  granted  only  tho  weakoned  privileges  as  defined 
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within  thu  descriptor  tor  the  referenced  segment.  (This  validation 
methodology  in  accept  able  only  it  accuse  faults  can  bo  tolerated  in 
ring  0.  Sineu  thu  PRIME  400/500  haa  clean  fault  handllngi  Including 
a stucklng  of  critical  machine  conditions  in  a special  ring  0 a Lack, 
acccaa  faults  can  be  tolerated  in  moat  applications.) 

When  thu  inner  ring  procuduro  returns  (via  the  PRTN 
Instruction),  ita  allocated  stack  frame  is  deallocated  and  the 
calling  procudure's  state  is  restored. 

Procueu  Control 


The  PRIME  400/500  are  unique  among  all  of  thu  machines  surveyed 
In  ihclr  oKtonsive  hardware  support  for  the  subject  abstraction. 

The  PRIME  400/500  make  efficient  memory  usage  of  segment 
tables.  As  is  usual  with  Hegmuuted-paged  architectures,  the  uctive 
segment  table  ana  page  tables  are  kept  In  memory,  and  an  associative 
cache  memory  is  used  to  speed  up  address  translation.  In  most 
suguentud-pnged  architectures,  a single  hardware  register  points  to 
the  active  segment  table.  Ah  described  earlier  in  the  section  on 
virtual  memory,  the  PRIME  400/500  have  4 descriptor  table  registers 
(OTARs)  pointing  to  4 groups  of  segment  descriptors.  The  advantage 
ot  this  arrangement  1b  that  the  distribution  of  shared  segments 
(e.g.  , kernel  and  supervisory)  is  more  efficient.  With  a single 
active  segment  table,  the  table  entries  for  shared  segments  are 
duplicated  for  all  processes,  wasting  a considerable  amount  of 
memory.  With  the  PRIME  400/500,  the  first  two  groups  (2,048)  of 
segment  descriptors  are  shared  among  all  processes  and  the 
respective  OTARs  need  not  bo  changed  when  processes  are  switched. 

The  ether  pair  of  DTARh  point  to  two  groups  or  segments  that  are 
private  to  processus  and  must  be  stored  and  reloaded  when  processes 
are  switched. 

ProcuBB  switching  is  quite  fast  and  efficient.  A combination 
of  hardware  and  firmware  automatically  controls  the  allocation  of 
thu  central  processor  to  the  highest  priority  process  in  a queue  of 
processes  ready  for  execution.  There  1b  no  need  for  software 
Intervention.  Priority  process  scheduling  and  dispatching  - 
including  the  saving  and  restoring  of  registers,  and  the  allocation 
of  the  two  hurdwaru  sets  of  registers  - is  implemented  In  microcode. 
(It  Is  further  elnimud  that  six  hardware  register  sots  can  be  easily 
Implemented. ) 

The  PRIME  400/500  offers  hardware  support  for  Dijkstru's  P and 
V semaphore  operations.  A semaphore  defines  an  event  whose  meaning 
Ih  shared  among  two  or  more  processus.  Associated  with  the 


semaphore  may  be  a queue  of  processes  awaiting  the  event;  those 
processes  are  waiting,  and  aru  not  on  the  ready  list  of  processes 

Mnrtwv*?*  ?PU  A process  signals  sn  event  by  executing  a 

NOTIFY  Instruction  on  the  semaphore  defining  the  event.  As  s reeult 
of  tho  Norm,  a process  on  the  waiting  list  for  that  event  la  moved 
onto  the  ready  list  of  processus.  When  s process  executes  a WAIT 
instruction  on  a semaphore,  it  gives  up  the  CPU  and  puts  itself  on 
tho  wait  list  of  processes  associated  with  the  semaphore.  As  a 
rusuit  of  the  WAIT,  the  automatic  process  scheduling  nnd  dispatching 
microprogram  Is  executed. 


Summary 

Table  J summarises  the  evaluation  of  the  PRIME  400/500.  Both 
are  Judged  as  excellent  hardware  bases  for  a security  kernel 
implementation,  as  they  satisfy  all  of  the  essential  features  and 
nuurly  all  of  thu  convenient  features. 


GENERAL  AUTOMATION 

Only  one  tnuchlnu  offered  by  General  Automation,  Inc.,  Anaheim, 
California,  the  GA-le/440,  is  evaluated.  The  GA-lb/440  Is 
advertised  us  a fust,  powerful,  and  versatile  minicomputer  system 
for  application  in  such  areas  as  data  communications,  data 
acquisition  and  control,  batch  proesasing,  process  control  and 
machine  control  [20].  When  used  in  conjunction  with  the  Memory 
Management  System  option,  the  GA-lb/440  provides  a multiprogramming 
environment  for  support  of  a multi-user  computational  utility. 

virtual  Mamory 

Thu  optional  llcmory  Management  System  (MMS)  provides  s mapped 
memory  organisation  with  a logical  per  process  address  space  of  64K 
words.  Physical  memory  is  axpsndabls  from  64K  to  1.024K 
lbK  modules.  Although  a maximum  physical  memory  size  of  1,024k 
words  can  accommodate  Lb  distinct  logical  address  spaces,  only  4 
nuts  of  mapping  registers  are  provided  in  high-speed  scratch-pad 
memo  ry . 

The  M1IS  implements  a paged  virtual  memory  environment  where 

each  pegs  It  IK  words  in  alia.  Each  of  the  four  maps  contains  64 
mapping  registers.  Of  the  four  maps,  only  three  may  be  available 
for  user  processes,  since  map  i may  be  employed  for  the  mapping  of 
DMA  device  accesses  to  main  memory. 
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There  are  write  protect  and  execute  protect  bita  in  each  page 
descriptor;  in  effect,  thoae  bita  implement  null,  read,  road-write, 
and  read-write-execute  access  capabilities  on  a per  page  basin. 

Thare  ia  alao  bom  aupport  for  sagmantation,  Tha  maps  In 
acratch-pad  memory  can  ba  loadad  and  atorad  in  groups  of  8 
contiguous  page  daacriptors,  parmitting  oasy  implementation  of  8K 
word  segments. 

1/0  Access  Control 

Thu  central  element  of  the  input /output  system  ia  the  1/0  bus; 
up  to  64  peripheral  devices  may  be  daiay-chainad  on  the  1/0  bus* 

Uach  device  is  assigned  a uniquo  6-bit  aolect  cods*  All  DMA  devices 
on  the  bus  are  attached  to  a Multiplexed  High  Speod  Data  Channol 
Controller  (MMSDC)  that  does  all  the  bookkeeping  and  interface 
protocol  for  high-speed  data  channel  oporationa* 

With  tho  MMS  option,  all  1/0  ia  performed  within  supervisor 
domain  by  means  of  privileged  1/0  instructions.  Most  I/O 
Instructions  are  privileged;  ones  that  are  not  are  those  that  accuSB 
the  Floating  Point  Processor  and  the  Arithmetic  Unit,  both  of  which 
sre  treated  as  I/O  devices* 

As  noted,  tha  MllS  permits  tha  use  of  a register  map  for  DMA 
duvicea;  all  DMA  device  operations  may  ba  mapped  through  map  1 by 
the  UHSUC.  This  arrangement  permits  a DMA  block  transfer  to  occur 
for  a user  that  is  not  tha  currently  executing  user*  Although  the 
Arithmetic  Unit  ia  treated  as  a DMA  device,  its  accesses  to  main 
memory  are  not  mapped  through  map  1,  but  through  the  currant  user 'a 
map* 


execution  Domains 

The  MMS  implements  an  operating  environment  external  to  the  CPU 
that  consists  of  four  domainal  3 mapped  user  domains  using  mapu  0, 
2,  and  3;  and  an  unmapped  supervisor  domain.  This  externnl 
operating  environment  is  created  by  interfacing  the  MMS  to  the  I/O 
bus  as  a DMA  device  (select  code  '39').  The  MMS  Is  activated  and 
controlled  by  sequences  of  programmed  I/O  commands. 

The  MMS  operates  in  either  mapped  or  transparent  mode.  In 

transparent  mode,  the  low  64K  words  of  physical  memory  era 
addressed  directly.  The  supervisor  domain  operates  in  transparent 
mode.  The  MMS  may  alao  operate  in  a privileged  Instruction 
detection  mode;  this  mode  is  turned  off  whan  privileged  supervisor 
domain  is  entered. 
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Transfer  into  supervisor  domain  by  user  domain  software  is 
accomplished  by  execution  of  the  Service  Call  (SVC)  instruction. 

SVC  generates  a non -inhibi table  (Ml)  internal  interrupt,  forcing 
transition  Into  the  transparent  mode  and  initiating  axacutlon  at  a 
predefined  location  within  low  core  of  supervlaor  space,  A MMS 
status  word  will  hold  ths  address  of  ths  SVC  Instruction  that  may  be 
used  to  recover  an  argument  list  or  address  to  specify  further  the 
desired  service.  The  argument  list  or  address  can  be  obtained  by 
using  tho  single  cycle  MMS  instructions,  which  allows  the  privileged 
supervisor  to  accoea  data  words  through  any  map.  These  instructions 
can  be  usud  for  argument  validation  because  an  MMS  fault  can  be 
tolerated  within  supervisor  domain. 

Process  Control 

Tho  MMS  option  provides  the  environment  for  multiple  processes. 
There  is  some  support  fur  an  efficient  process  switch. 

There  arc  two  sets  of  general  purpose  registers,  each 
containing  16  registers  implemented  in  a “scratch-pad"  memory  - 8 
foreground  and  8 background  registers.  At  any  point  in  time,  eithar 
the  foreground  registers  are  accessible  or  the  background  registers 
are  accessible,  but  not  both,  A register  set  can  be  loaded  from,  or 
stored  into,  main  memory  by  the  instructions,  LARS  and  SARS, 
respectively.  It  takas  about  IS  microseconds  to  store  and  then  load 
a register  Bet. 

Given  Just  three  register  maps  for  user  processes,  a process 
switch  may  require  the  storing  of  an  active  map  in  memory  and  the 
loading  of  a map  image  for  another  process.  There  are  MMS 
instructions  to  load  and  unload  register  maps.  Map  images  are  moved 
between  MMS  maps  and  main  memory  by  direct  memory  access,  All 
transfers  are  to/from  supervisor  space  using  real  memory  addresses, 
since  thu  MMS  does  not  translate  its  own  DMA  addressos.  It  takuu 
approximately  onu  microsecond  pur  page  descriptor  loaded  or 
unloaded, 

There  is  no  hardware  support  for  interprocess  communication, 
Sunynary 

Tho  evaluation  of  the  GA-16/440  is  summarised  in  Table  4. 

While  the  GA-16/440  meets  all  of  the  usHential  criteria,  it  is  rated 
as  just  a fair  to  good  candidate  for  a kernel  Implementation  because 
it  lacks  a good  share  of  the  convenient  features. 
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IBM  SHR1ES  l/MODEL-5 


Juat  one  IBM  machine,  the  Series  1/Model  5 minicomputer , ie 
evaluated  [??]• 

Vittual  Memory 

The  optional  Storage  Address  Relocation  Translator  Feature 
implements  a paged  virtual  memory  environment!  Each  page  ie  2K 
bytee  in  1\  .<gtn  and  main  memory  may  range  from  16  K bytee  to  12BK 

bytee  in  16K-byte  incrementa,  Eight  eete  of  PM*  descriptor 
registers  are  proved*  each  set  consiate  of  32  registers.  One  set 
of  registers  is  implicitly  assigned  to  the  privileged  supervisory 
domain  for  the  handliug  of  interrupts* 

There  sro  two  access  control  bitu  per  page  descriptor*  e valid 
bit  and  a read  only  bit.  Whan  the  vs’ id  bit  ie  0,  the  register 
cannot  be  usud  for  translation.  In  combination*  the  two  access 
cuntrol  bits  effectively  provide  null,  jad,  and  read-write  access 
rights. 

A process  may  use  3 register  mapu  concurrently,  one  for  all 
instruction  fetches  and  two  for  operand  fetches.  Sines  instructions 
and  data  can  bs  mapped  separately,  execute  only  and  read  only  access 
rights  are  effectively  implemented.  Instruction  apace  can  only  bo 
executed,  while  operand  apace  uin.t  be  uxocuted. 

Referenced  and  modified  flags  ara  not  provided  in  page 
descriptors. 

I/O  Access  Control 

A single  I/O  channel  directs  the  flow  of  information  between 
I/O  devices  and  the  central  processor  or  main  storage.  As  many  as 
236  I/O  devices  - addressable  by  an  8-btt  select  code  - can  be 
attached  to  the  channel. 

All  I/O  operations  initiated  by  the  processor  occur  via  a 
single , privileged  I/O  inatruction  <I0).  The  effective  address 
generated  by  10  points  to  a two-word  immediate  device  control  block 
(IDCB) • The  IDC11  holds  an  I/O  remand  (interpreted  by  the  I/O 
channel),  the  addressed  device,  and  a one-word  immediate  data  word. 
For  programed  I/O  commands  that  write  to  a device,  the  immediate 
data  word  holds  a data  word  for  transfer ( upon  completion  of 
programmed  I/O  commends  that  read  a device,  the  immediate  data  word 
; holds  the  data  word  read.  For  commands  that  initiate  DMA  device 
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transfers,  the  immediate  data  word  holds  the  address  of  a DMA  dev  lee 
control  block  (DCU).  AIL  IDOHh  and  DCBs  are  In  supervisor  spnee. 

There  in  noma  support  for  mapped  DMA  device  accost  to  main 
memory.  A field  within  the  DOtt  selects  one  of  tha  eight  sots  of 
page  descriptor  registers  for  use  in  address  translation  during  the 
DMA  transfer.  However,  the  read-only  bit  is  disabled  during  address 
translation  on  DMA  device  accesses  to  mein  memory i a*  a result, 
write  protection  violations  are  ignored.  Only  the  validity  bit  In 
chocked ; If  the  validity  bit  is  not  set,  the  logical  page  is  Invalid 
and  an  invalid  storage  address  Interrupt  is  generated. 

Kxoeutlon  Domains 

liight  domains  arc  provided i one  privileged  supervisor  domain 
and  seven  equal iy-unprivileged  user  domains.  The  seven  user  domains 
are  defined  by  tho  suvon  register  maps  available  for  user  processes; 
remember,  map  0 fa  reserved  for  use  hy  the  supervisor. 

There  are  privileged  instructions  that  are  executable  only  In 
the  supervisor  domain.  These  instruct  tons  permit  the  uupurvisor  toi 

1.  perform  I/O  and  enable /disable  priority  interrupt  levels; 

2.  load  and  store  register  maps; 

1.  disable /unable  the  virtual  memory  translator;  when 
disabled,  physical  memory  Is  directly  addressed;  and 

4.  dt  sal»le/enab  le  the  standard  lock -and -key  memory  protection 
mechanism  which,  when  enabled.  Is  ..sod  when  the  virtual 
memory  translator  Ih  disabled,  liy  disabling  the  lock 
and  key  mechanism,  the  supervisor  can  give  itself 
access  to  u.ll  of  main  memory. 

Control  is  passed  to  supervisor  domain  by  the  occurrence  of  a 
variety  of  interrupts,  both  class  interrupts  and  1/0  device 
Interrupts.  One  type  of  class  interrupt  Is  generated  by  tha 
execution  oil  the  supervisor  call  (SVC)  instruction  in  user  domain. 
SVO  causes  transfer  of  execution  to  a fixed  location  in  supervisor 
space  dott  u'd  by  an  Intercept  vector  hIno  in  supervisor  space. 

Arguments  and  results  can  be  transferred  between  user  and 
supervisor  domains  easily.  The  supervisor  c.an  execute  privileged 
instructions  that  load/store  the  Address  Key  register  (AKU),  which 
del  l nos  the  two  active  operand  register  inapt*  and  the  single 
instruct,  ion -fetch  register  map.  To  fetch  an  argument  or  store  a 
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result,  the  supervisor  simply  loads  the  appropriate  values  into  tho 
AKR  mid  poriorma  the  operand  fetch  or  store.  However,  since  memory 
write  protection  viola tiona  aru  ignored  in  supervisor  domain,  only  a 
limited  form  of  argument  validation  ia  provided.  The  auperviaor 
cannot  determine  whether  a uuer  procoaa  really  haB  write  access  to 
the  virtual  addreaaea  provided,  only  that  the  referenced  addreaaes 
are  within  the  process'  virtual  apace. 

Procoaa  Control 

There  are  four  priority  interrupt  leveia  at  which  the  central 
processor  may  operate.  Aeaouluted  with  each  level  iu  u uut  of 
ruglateru  that  may  have  to  be  utorud/londed  during  a proceaa  switch. 
Much  act  includes  an  Address  Key  Register,  a group  of  8 general 
purpose  registers,  a Level  Status  Register  (LSR),  which  contains 
status  information  and  condition  codes  for  processing  at  that  level, 
and  a program  counter  for  that  luval.  Execution  of  tho  Set  Level 
Status  Slock  (SELU)  privileged  instruction  may  cause  the  processor 
to  change  priority  Interrupt  luvuls.  It.  may  alao  require  that  the 
regiutor  set  associated  with  the  target  level  bo  loaded  with  u Level 
Status  Slock  (LSH ) from  main  memory.  If  so,  the  8KLB  Instruction 
loads  a LSS  from  main  memo ry  beginning  with  tho  location  specified 
by  the  effective  address. 

if  the  process  switch  also  requires  the  swupping  of  one  or  moru 
of  the  seven  user  regiutur  maps,  tho  additional  overhead  can  be 
considerable  because  the  Set  Segmentation  Register  (SKSR)  privileged 
instruction  loads  only  unu  register  at  u time. 

There  is  no  hardwure  support  for  interprocess  communication. 
Summary 

Table  5 summarises  the  evaluation  of  the  IBM  Series  1/Model  5 
minicomputer. 

Although  all  of  thu  essential  criteria  are  satisfied,  it  Is 
only  rated  a fair  candidate  for  a kernel  Implementation  because 
roughly  half  of  the  convenience  features  are  not  supported. 


VAR1AN  70  SERIES 

This  evaluation  will  consider  several  models  of  the  Varian  70 
series  of  computers  offered  by  Varian  Data  Machines,  Irvine, 
California  [22,  23].  Thu  Varian  70  series  was  designed  for  maximum 
performance  in  instrumentation,  data  acquisition,  and  communications 
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systems  applications}  with  tho  M15GAMAP  opt  ton,  Hover  a 1 mode  1h  can  bo 
adopted  tor  multiprogramming  applications.  Microprogrammed  control 
Htorus  permit  a common  instruction  set  among  all  machines  in  the 
suriuu. 

There  are  two  families  of  iuteroat  within  the  Vartan  70  series) 
V76  and  V 77.  The  basic  differences  between  the  two  families  is  in 
the  typos  of  power  supplies  used  unit  the  fact  that  tho  V76  famtly  is 
compatible  with  certain  DMA  devices  usud  with  Vartan's  earlier  620 
minicomputer. 

The  models  of  iuteroat  are  V76-1100,  V76-1101,  V77-400,  and 
V77-60U!  tho  MEGAMAP  virtual  memory  system  Is  an  optional  feature  on 
all  of  the  four  machines, 

Virtual  Memory 

With  MEGAMAP,  physical  memory  may  rang#  from  32K  words  to 
1,024K  words  of  semiconductor  RAM  memory.  MEGAMAP  provides  a 512- 
word  paged  organization  with  a logical,  per-process  address  space  of 

32K  words,  There  are  16  maps  for  virtual  address  translation  also 
implemented  in  RAil  memory ; each  map  consists  of  64  page  descriptor 
registers.  Note  thut  the  lb  maps  can  address  a total  of  only  512K 
uords,  whereas  1.024K  words  of  physical  memory  may  h«  avail ablw, 

There  are  four  modes  of  access  to  each  page)  null,  read,  road- 
okocuio,  and  road-writu-oxocutu.  Support  for  execute-only  access  Is 
not  provided. 

Referenced  and  modified  flags  wore  provided  in  page  descriptors 
hy  the  memory  management  option  for  the  V72,  V 7 J , and  V 74  families 
ol  the  series.  The  memory  management  option  that  preceded  MEGAI1AP 
could  uddrssa  only  256K  words.  Unfortunately,  to  permit  MEGAMAP  to 
address  1,024K  words,  the  reference  and  modified  bits  wore  stolen 
for  use  a h physical  address  bits  within  the  page  descriptor, 

I/O  Access  Control 

With  the  MKGAllAP  option,  I/O  instructions  are  treated  us 
privileged  operations.  A memory  protection  interrupt  will  result 
from  the  attempted  execution  of  an  I/O  instruction  fetched  from  Home 
map  other  than  HAP  0,  Since  instruction  fetches  are  drawn  from  MAP 
0 only  when  MKUAUAP  is  operating  in  executive  modo , 1/0  instructions 
are  privileged  to  executive  mode. 

Throe  types  of  I/O  are  supported:  programmed  I/O,  DMA,  and 
Priority  Memory  Access  (PMA). 
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Programmed  L/0  uses  separate  program  instructions  to  transfer  a 
byte  or  word  to  low-speed  t/0  devices  and  to  initialize  and  Htart 
the  operation  o£  high-opeovi  iW\  and  PMA  devices. 

DMA  davlces  aharo  a memo*)  port  with  the  central  processor  and 
steal  memory  cycles  from  the  central  procoaaor  to  tranafor  blocks  of 
data  at  high  rates.  Note  that  MEGAMAP  la  itaolf  a DMA  device} 
apodal  memory  map  I/O  instructions  are  defined  to  load  and  storo 
MEGAMAP 'a  control  registers,  thereby  netting  its  operating  modes, 
determining  its  statuu,  and  initialising  and  starting  DMA  transfers 
of  pugu  descriptor  map  images  between  main  memory  and  MEGAMAP's  RAM 
store.  All  DMA  dovicu  transfers  are  mapped  using  a map  specified 
during  DMA  initialisation.  All  MEGAMAP  DMA  transfers  are  mappud  via 
MAP  0. 


The  memory  Byatoms  nsod  in  the  V76  and  V 77  families  are  dual 
port  memory  ays  toms.  One  port  is  shared  by  the  cuntral  processor 
uiul  DMA  duvices;  thu  other  port  may  bo  used  by  an  optional  PMA 
controller  for  very  high  speed  data  transfers  between  main  memory 
und  PMA  devices  - without  interrupting  the  central  processor.  PMA 
controllers  ure  initialised  with  programmed  I/O  instructions  in  a 
fushion  similar  to  DMA  controllers.  All  PMA  transfsrs  are  mapped 
through  MEGAMAP,  using  a map  specified  at  PMA  device  initialisation, 

Execution  Domains 


MEGAMAP  provides  16  domains:  15  user  domains  (via  MAP  1 
through  MAP  15)  und  one  privileged,  executive  domain  (MAP  0 or 
unmapped  direct  access).  There  nre  only  two  hierarchically 
structured  domains  of  privilege:  user  and  executive. 


llEGAHAP  actually  has  three  modes  of  operation!  inactive, 
executive,  and  user.  In  inactive  mode,  address  mapping  is  disabled 
and  the  first  32K  words  of  main  memory  are  accessed  directly.  All 
instruction  fetches,  operand  fetches,  and  operand  stores  are 
unmapped.  All  instructions,  including  I/O  instructions,  may  bo 
executed.  Inactive  mode  can  only  bo  entered  from  (and  can  bo 
considered  an  extension  of)  executive  mode. 

In  executive  mode,  address  translation  1h  enabled  and  all 
instruction  fetches  are  via  MAP  0.  There  are  four  statos  within 
executive  mode}  the  mups  used  for  operand  fetches  and  stores  depend 
on  the  particular  stute,  as  indicated  below  where  MAP  n refers  to 
the  active  map  indicator  register. 
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STATE 

INSTRUCTION 

FETCH 

OPERAND 

FETCH 

OPERAND 

STORE 

0 

MAP  0 

MAP  0 

MAP  0 

1 

MAP  0 

MAP  0 

MAP  n 

2 

MAP  0 

MAP  n 

MAP  0 

3 

MAP  0 

MAP  n 

MAP  n 

By  changing  its  state  (via  programmed  I/O  instruction*),  tho 
nxucutivu  domain  can  effect  the  transfer  of  data  between  any  user 
domain  and  executive  domain.  Care  muut  be  exercised  here  though, 

In  ail  states,  several  instructions  (L0A1,  LDB1,  or  LDX1)  always 
fetch  their  operands  using  MAP  0,  Also,  to  unsure  that  all 
instruction  fetches  aru  via  MAP  0,  indirect  addressing  must  not 
uxcuud  tho  first  levol  lit  states  2 and  3,  because  after  the  first 
level  of  indirect  addressing,  instruction  fetches  in  Bomo  cusou  arc 
treated  as  operand  fetches  by  the  memory  map, 

Normally,  memory  protection  checks  are  disabled  when  MEGAMAP  Is 
operating  in  oxecutivu  mode.  Hence,  the  above  facility  is  useful 
for  argumant  validation  only  when  thu  chocks  are  enabled  in 
executive  mode. 

All  instructions  uxcept  HALT  aru  permitted  in  executive  mode. 
Inactive  mode  can  be  entered  only  from  executive  mode.  Executive 
mode  is  entered  from  user  mode  by  tho  occurrence  of  memory 
protection  interrupts  generated  by  CPU,  DMA,  or  PMA  accesses  to  main 
memory,  or  by  tho  execution  of  any  illegal  instruction  (I/O  or 
otherwise)  in  user  mode,  Tranefar  is  to  specific,  pre-dsfined 
locations  in  low  core.  There  is  a single  entry  into  executive  mode 
as  a result  of  illegal  instruction  execution. 

Process  Control 

MECAMAP  provides  a suitable  environment  for  multiple  processes. 
Since  there  are  as  many  as  IS  user  maps,  most  process  switching 
should  bo  limited  to  the  swapping  of  central  processor  registers, 

If  the  number  of  user  processes  to  be  supported  exceeds  15,  a 
process  switch  may  involve  tho  storing  and  loading  of  a user  map, 
MECAMAP  can  load  itself  using  DMA  at  the  rate  of  approximately  1,3 
microseconds  per  page  descriptor.  Any  number  of  consecutive  maps 
can  bo  loaded  or  stored  in  uno  DMA  block  transfer. 

Although  all  Varian  70  aorlea  machines  are  mlcroprogrammable, 
there  do  not  appear  to  bo  any  Instructions  provided  to  optimise  the 
uwapping  of  the  central  processor's  general  purpose  registers. 
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There  lu  but  one  sat  of  eight  registers { each  register  muat  bo 
atorod/loaded  separately. 

There  is  no  hardware  support  for  interprocess  communication. 
Summary 

Table  b euuunariaue  the  evaluation  of  the  four  models  of 
interest  in  the  Varian  70  aeries.  Since  all  of  the  eaaentlal 
hardware  features  and  many  of  convenience  features  are  provided)  the 
V7b-lU)U,  V76-U01,  V7 7-400,  and  V7 7-600  are  ail  rated  as  good 
candidates  for  a security  kernel  imp  lamentation. 

Considering  othur  famliiaa  within  the  Vsrisn  70  aerioS)  the 
V72,  V73,  V74,  and  V75  families  can  all  bo  judged  as  good  cendidat.ee 
for  a kernel  implementation,  provided  the  optional  memory  mapping 
subsystem  that  preceded  MEGAMAP  is  implemented.  While  the  eerlier 

subsystem  is  limited  to  256K  of  physical  memory,  the  referenced  and 
modified  flag  convenience  features  were  supported.  Other  than  these 
two  flags  and  the  physical  memory  cspacitlss,  the  only  other 
difference  between  the  two  mapping  subsystems  is  that  the  earlier 
version  supported  either  a 32K  or  64K  logical  addrese  space.  With 
a 32K  word  logical  apaca,  up  to  16  translation  maps  are  possible; 
with  e 64K  logical  space,  up  to  8 translation  maps  are  possible. 
Otherwise,  the  two  mapping  subsystems  are  equivalent . 


lMTtiRDATA 

Just  one  machine  offered  by  Interdata,  Inc.,  Oceanport,  New 
Jersey,  the  8/12,  la  evaluated  (24].  The  Interdata  8/32  is  a high 
performance  32-bit  minicomputer  designed  for  use  In  process 
control,  data  communications,  and  multi-user  time-sharing 
applications. 


Virtual  Memory 

The  Memory  Access  Controller  (MAC)  le  a standard  feature  on  the 
8/32;  it  provides  automatic  program  relocation  and  protection  undur 
a segmented  virtual  memory  organisation.  Segments  are  variable  in 
length,  ranging  from  25b  bytes  to  b4  bytes  in  blocks  of  256  bytes. 
Paging  is  not  supported  - an  entire  segment  must  be  resident  in  main 
memory.  Physical  memory  may  range  from  128K  bytea  to  1,024K  bytea 
in  increments  of  128k  bytes. 

There  is  but  one  set  of  hardware  mapping  registers  and  it 
consists  of  lb  segmentation  regiatura.  Thus,  a single  user  domain 
of  lb  program  and  dale  segments  la  provided.  The  permitted  modes  of 


Table  6.  Varlan  70  Series 


access  supported  on  a segment  basis  arc!  null,  road,  read-write, 
rend-write-oxoeuto , and  read-execute.  Neither  referenced  nor 
modified  flags  are  provided  within  tho  segment  descriptor,  although 
u modified  bit  can  be  implemented  with  a minimal  amount  of  aoftwaro 
overhead, 

1/0  Access  Control 

All  1/0  instruct  Iona  are  privileged  instructions  that  can  only 
be  executed  when  the  central  processor  is  in  supervisory  domain. 

There  is  no  mediation  of  DMA  device  operations.  All  DMA  devico 
acccauus  to  main  memory  via  the  selector  channel  are  absoluto  and 
unmapped, 

Execution  Domains 

Only  two  execution  domains  arc  provided*  one  ueor  domain  in 
which  program  addresses  are  mapped  using  the  16  segmentation 
registers,  and  one  supervisor  domain  in  which  program  addresses  are 
unmapped  (absoluto)  und  privileged  Instructions  may  bo  executed. 

Transfer  Into  supervisor  domain  is  automatic  upon  the 
occurrence  of  an  external  or  Internal  interrupt;  execution  of  the 
Service  Call  (SVC)  instruction  in  user  domain  Initiates  an  internal 
interrupt  with  transfer  to  one  of  16  ontry  points  in  supervisor 
domain.  The  entry  point  selected  is  dependent  upon  an  operand  to 
SVC  supplied  by  the  user, 

A second  operand  to  SVC  is  usually  a pointer  to  the  memory 
location  of  the  urguments  needed  by  supervisor  domain  software  to 
complete  the  function  specified.  Argument  validation  can  be 
affected  by  execution  of  the  Load  Real  Address  (LRA)  instruction 
which  simulates  the  operation  of  thu  MAC.  Of  all  the  domain- 
oriented  machines  surveyed,  tho  LRA  instruction  of  the  Interdata 
a/ 32  provides  the  boat  means  of  argument  validation.  In  effect,  LRA 
takes  the  virtual  address  pointer  supplied  ub  an  operand  to  SVC  und 
translates  it  into  a physical  address  using  a translation  map  linage 
in  main  memory,  (Note  that  LRA  doos  not  use  tho  active  map  present 
in  the  segmentation  registers,  but  rather  a map  image.  ) If  a memory 
protection  violation  is  detected,  instead  of  a fault  being 
generated,  au  would  result  during  normal  address  translation  by  the 
UAC,  the  condition  codes  are  set  to  reflect  the  typo  of  violation 
detected.  Tho  argument  validation  mechanism  provided  in  most  of  the 
other  domain-oriented  machines  permits  tho  supervisor  to  assume  the 
access  privileges  of  the  user  domain  by  using  the  user's  address 
translation  map  to  fetch  tho  arguments.  This  scheme  is  only 
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partially  satiafuctory  because  aa  access  fault  Interrupt  may  occur 
and  such  faults  arc  not  alv.  tys  tolerable  within  the  BuporviBor 
domain* 

Process  Control 

The  I1AC  provides  an  environment  for  the  support  of  multiple 
processes* 

There  is  some  support  for  an  efficient  process  switch  in  tho 
form  of  multiple  sets  - as  many  as  B - of  general  purpose  registers* 
Pour  sots  may  be  dedicated  to  interrupt  handling  at  the  four  levols 
of  interrupt  priorleyt  leaving  four  sets  that  may  be  shared  among 
uuor  processes  and  minimizing  the  need  for  storing  and  reloading  a 
register  set  on  a process  switch*  The  Load  Multiple  (LM)  and  Store 
Multiple  (STM)  instructions  can  be  used  to  load/store  tho  currently 
uctivu  register  gut  from/into  consecutive  memory  locations* 

Unfortunately!  only  one  user  domain  of  16  segmentation 
rugisturs  is  provided  by  the  tlAC.  Switching  user  processes  requires 
the  storing  and  reloading  of  the  segmentation  registers  - a major 
inconvenience.  Values  are  loadod  into  the  segmentation  registers  by 
storing  Into  assigned  memory  locations  in  low  main  memory!  with  the 
MAC  operating  in  unmapped  mode*  MAC  registers  are  stored  by  reading 
the  dedicated  locations  and  storing  the  values  elsewhere  in  main 
memory*  To  load  or  store  MAC  registers  efficiently,  the  LM  and  STM 
instructions  should  be  uaedi  using  a general  purpose  register  sot  as 
intermediate  storage* 

There  is  no  hardware  support  for  Interprocess  communication* 
Summary 

The  uvuluation  is  summarized  In  Table  7. 

The  Interdata  8/32  moots  all  of  the  essential  features,  but  due 
to  lack  of  support  for  tho  convenience  features  in  the  areas  of  1/0 
Access  Control  and  Virtual  Memoryt  and  considering  the  lack  of  a 
third  domain,  it  can  only  be  rated  a fair  candidate  for  a security 
kernel  Implementation 

Somewhat  less  of  a fair  rating  is  be  extended  to  the  earlier 
7/32  model.  The  7/32  includea  the  MAC  as  an  optional  feature, 
whereas  the  MAC  is  part  of  the  basic  processor  on  the  8/32, 

Further*  the  7/32  providus  only  2 seta  of  general  purpose  registers 
(no  priority  interrupt  levels)  which,  on  the  average,  would  tend  to 
Increase  the  overhead  incurred  on  process  switching* 
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el lent 


HONEYWELL'S  SCOMP 


One  of  the  development  activities  sponsored  by  ESD  In  the  area 

of  secure  computer  systems  was  the  design,  Implementation,  and 
verification  of  a security  kernel  for  Honeywell's  Multics  system 
[25],  a large-scale,  general  purpose  computer  utility.  Part  of  that 
effort  was  the  development  of  a kartiel-based  secure  front-end 
processor  (SFEP)  for  secure  Multics  [26] . The  hardware  base  for  the 
SEEP  development  is  Honeywell's  SCOMP,  a Level  6 Model  43 
minicomputer  [27]  enhanced  by  a hardware  Security  Protection  Module 
(SPH)  that  facilitates  the  conversion  of  the  commercial,  unprotected 
6/4 3 into  a kernel-based,  secure  front-end  or  communications 
processor.  However,  the  SCOMP  possesses  sufficient  computational 
capacity  for  application  as  u general  purpose  computer  utility, 

Thu  SPtl  was  specifically  designed  to  serve  as  the  hardware 
component  of  the  SFEP  security  kernel.  So  it  should  not  be 
surprising  to  find  that  it  includes  virtually  all  of  tho  hardware 
feuturua  considered  essential  or  convenient  to  an  effective  security 
kernel  implementation.  The  function  of  the  ' PM  is  to  mediate, 
through  a descriptor  structure,  all  interactions  between  the  various 
modules  (processors,  1/0  devices,  memories)  connected  to  the  6/43's 
MEGABUS,  The  SPM  may  be  thought  of  as  a general  address  translation 
and  access  mediator  for  a number  of  requestors  - tho  modules 
connected  to  tho  MEGABUS, 

Virtual  Memory 


The  SPtl  Implements  a segraentod-paged  virtual  memory 
organization,  with  a per  proceas  virtual  addrets  space  of  up  to  64K 
words  and  a physical  memory  expandable  to  1M  words.  A hardware 
register,  the  descriptor  base  register  (DBR),  points  to  a table  of 
descriptors  defining  the  objects  (resources)  - both  virtual  memory 
segments  and  1/0  devices  - accessible  to  the  currently  executing 
process. 

Both  paged  and  unpaged  virtual  memory  segments  are  allowed.  If 
unpaged,  the  segment  descriptor  points  to  the  segiv  - >;'s  physical 
address;  if  paged,  the  segment  descriptor  points  to  a page  table  for 
the  segment, 

Referenced  and  modified  bits  are  maintained  within  both  the 
segment  descriptor  and  all  page  descriptors  for  paged  aegmants.  For 
unpaged  segments  they  are  maintained  within  the  segment  descriptor. 

Access  control  information  is  maintained  within  the  segment 
descriptor.  It  consists  of  three  ring  bracket  fields  (RI,  R2,  R3) 
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and  throe  1-bit  access  permission  fields  (R,  W,  E).  The  accesu 
modes  supported  are  any  subset  of  the  set  (read,  write,  execute), 
constrained  by  the  effective  ring  number,  Reff,  and  the  values  of 
certain  ring  bracket  fields*  The  calculation  of  Reff  ie  deecrlbad 
below  in  the  aubaection  on  Execution  Domainal  in  general,  tha  value 
of  Haff  la  greater  then  or  equal  to  the  current  ring  of  execution* 
The  ecceea  control  information  la  interpreted  according  to  tha 
following  rules,  where  Reff,  Rl,  R2,  and  R3  may  assume  the  integer 
vuluoa  0,  1,  2,  3t 

1)  Write  permission  if  (W  ■ ON)  and  (Reff  £ Rl);  rings  0 
through  Rl  incluaive  are  defined  to  be  the  write  bracket  for  the 
segment)  proceaaea  executing  In  rings  0 through  Rl  may  write  the 
segment  If  (W  ■ ON)* 

2)  Read  permission  if  (R  ■ ON)  end  (Raff  $ R2) J rings  0 
through  R2  inclusive  era  the  reed  bracket* 

3)  Execute  permiaaion  if  (E*  ON)  and  (Rl  £ Reff SR2);  rings  Rl 
through  R2  inclusive  are  tha  execute  bracket* 

4)  If  (E  - ON)  and  (R3  > R2)  and  (R2  < Raff  S R3)  uxacution 
will  cauaa  an  inward  ring  tranafar  provided  tha  CALL  Instruction  ia 
used i rings  Rl  through  R3  are  the  cell  bracket)  R2  becomes  the  new 
ring  of  execution;  a segment  defined  by  a segment  descriptor  where 
R3  > R2  ie  called  n gate  segment. 

1/0  Accqbb  Controls 

I/O  devices  era  supported  within  the  virtual  memory 
organization*  They  are  accessed  by  process-local  virtual  device 
addresses,  which  are  translated  by  the  SRM  into  physical  device 
addressee  using  a set  of  descriptors  for  1/0  devices*  The  DBR 
points  to  both  the  sot  of  I/O  device  descriptors  and  segment 
descriptors  accessible  to  the  currsntly  executing  process*  Unlike 
segments,  however,  I/O  devices  cannot  bo  Bhared  among  processes,  so 
1/0  device  descriptors  ere  not  shared. 

Access  control  Information  ia  maintained  within  the  1/0  device 
descriptor.  It  conalata  of  the  Rl,  R2,  and  R3  ring  bracket  fields 
and  the  R,  W,  and  E access  permiaaion  fields*  The  value  of  Reff  is 
calculated  by  the  SPM  in  the  same  manner  as  for  memory  accesses* 

The  permitted  modes  of  access  are  determined  by  tha  following  rules: 

1)  Read  permission  (initiate  a read  from  the  device)  if  (R  ■ 
ON)  and  (Reff  £ R2)(  rings  0 through  R2  are  the  read  bracket* 
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2)  Write  permission  (initiate  a write  to  the  device)  if  (W  - 
ON)  and  (Refi  £ Rl);  rings  0 through  R1  are  the  write  bracket. 

3)  Device  control  operations  (status,  positioning  requests) 
are  permitted  if  (E  ■ ON)  and  (Raff  j£  R 3 ) | rings  0 through  R3  are 
the  control  bracket. 

There  are  two  forms  of  DMA  device  control)  DMA  devices  may  be 
mapped  or  pre-mapped.  The  pre-mapped  facility  is  provided  so  that 
the  full  performance  capability  of  DMA  devices  can  be  attained 
without  the  overhead  incurred  by  the  SPM's  virtual  to  physical 
memory  address  translation.  The  memory  access  checks  sre  made  by 
the  SPM  whan  the  block  transfer  is  initiated  by  the  user  process. 

Tho  process  supplies  a virtual  address  for  the  block  transfer  and  an 
uxtent  (length).  The  SPM  verifies  that  tha  device  hea  been  assigned 
to  the  process,  that  all  memory  addresses  affected  by  the  transfer 
have  tho  proper  access  permission  for  tha  affective  ring  number  and 
access  mode  of  the  process,  that  the  affected  memory  addressee  are 
described  by  a single  direct  memory  page  descriptor  or  unpeged 
segment  descriptor,  and  that  the  process'  1/0  device  descriptor 
allows  the  requested  access  mode  for  the  process'  effective  ring  of 
execution.  If  the  SP11  checks  are  verified,  the  SPM  will  give  the 
DtlA  device  a physical  memory  address  and  axtont,  and  start  the 
transfer.  Because  it  is  necessary  to  trust  the  operation  of  the  1/0 
channel,  certification  of  this  typo  of  I/O  is  not  believed  to  bo 
possible;  this  typo  of  I/O  wob  not  included  in  tha  top-level 
specif ication  of  the  S FliP  security  kernel  [26]. 

With  the  mapped  facility,  DMA  dovicos  use  virtual  memory 
addressee  that  are  translated  and  access  checked  by  the  SPM.  When  a 
mapped  DMA  device  is  initialised,  the  SPM  verifies  that  tha  devlca 
is  assigned  to  the  process,  and  that  tho  I/O  descriptor  for  the 
device  permits  the  requested  mode  of  access  for  the  effective  ring 
of  execution  oi  tho  process.  If  the  checks  pass,  tho  SPM  initiates 
tha  block  transfer.  Since  DMA  I/O  is  asynchronous  (i.e.  , a DMA 
transfer  may  have  been  initialised  by  u process  different  from  the 
process  currently  executing  on  tho  processor),  the  SPM  must 
remember,  for  each  active  mapped  DMA  device,  tho  effective  ring  of 
execution  and  a sot  of  memory  segment  descriptors  for  the  process 
thut  initiated  tho  I/O  transfer. 

Execution  Domains 


Tho  SPM  implements  a concentric  four-ring  structure,  where  the 
rings  are  numbered  U,  1,  2,  and  3,  with  ring  0 moat  privileged  and 
ring  3 least  privileged. 
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King  crowning  in  controlled  by  the  SPM,  but  is  very  flexible. 
Timm  tor  to  a gate  segment  assigned  to  an  inner  ting,  from  n process 
executing  within  the  call  bracket  of  the  gate  segment,  is  via  the 
CAUL  instruction.  The  current  ring  of  execution  is  changed  to  the 
value  of  R2  in  tint  descriptor  for  the  gate  segment  only  if  R2<  Reft 
^Rd;  otherwise  the  current  ring  of  execution  is  unchanged  bocause 
the  gate  segment  has  been  called  from  within  its  execute  bracket, 

Thu  gate  segment  descriptor  also  defines  a call  limiter  which 
dofines  a series  of  valid  entry  points  at  lower  segment  offsets, 

Thu  SPM  verifies  that  thu  second  component  (offset)  of  the  CALL 
instruction's  effective  virtual  address  is  within  the  call  llmttur. 
Typically,  the  segment  locations  defined  by  the  call  limiter  are  a 
series  of  jump  instructions  to  actual  entry  points  within  the 
segment.  The  CALL  instruction  places  the  ring  of  the  calling 
procedure  into  a program  visible  rugister,  Thu  RETURN  instruction 
is  used  to  transfer  control  back  (outward)  to  the  calling  procedure! 
thu  SPM  insures  that  the  return  is  outward. 

The  transfer  of  data  across  ring  boundaries  is  convenient 
because  the  inner  ring  procedure  has  access  capabilities  equal  to  or 
greater  than  the  outer  ring  procedure.  There  >re  two  argument 
validation  mechanism. 

Thu  first  is  the  calculation  of  Ruff,  the  effective  ring  of 
execution,  during  the  development  of  an  effective  virtual  address, 
For  simple  memory  references  without  Indirection,  Raff  is  equal  to 
the  current  ring  of  execution  (Rcur)  as  maintained  by  th«  SPM. 
however,  in  the  case  involving  multiple  indirections  through  many 
segments,  the  SPM  will  maintain  in  Reff  the  maximum  value  of  the 
ring  number  HI  in  ell  descriptors  encountered  during  the  preparation 
of  the  affective  virtual  address.  Reff  is  set  to  Rcur  at  the 
beginning  of  each  instruction  cycle;  tor  each  descriptor  encountered 
between  instruction  fetch  and  operand  fetch,  Reff  is  recomputed  as 
the  maximum  of  current  Reff  and  Rl  of  the  descriptor.  The  new  Hoff 
applies  to  letches  of  all  subsequent  indirect  addresses  or  data. 

A second  validation  mechanism  is  provided  for  the  more  general 
problem  where  an  argument  pointer  (i.e.,  a non-effective  address)  is 
copied  from  thu  outer  ring  to  the  inner  ring,  for  instance  to 
prevent  tampering.  The  above  mechanism  will  not  work  here,  since 
the  address  constant  (indirect  address)  now  resides  within  the  inner 
ring.  The  SPM  provides  a mechanism  whereby  hh  inner  ring  procedure 
can  foreo  the  validation  of  a reference  to  an  arbitrary  virtual 
address  with  respect  to  any  higher  ring  number.  This  can  bo 
accomplished  by  storing  a ring  number  with  the  pointer  when  it  is 
copied  into  the  inner  ring;  the  value  of  the  ring  number  is  the 
value  of  Ruff  computed  as  If  the  pointer  were  referenced  directly. 
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l»n  subsequent  indirect  references  by  the  inner  ring  through  this 
copied  pointer,  the  S I’M  uses  this  ring  number  at)  another  factor  in 
maximizing  Hoff.  Note  again  thut  this  type  of  argument  validation 
mochunism  can  be  used  only  if  access  violation  faults  can  be 
tolerated  within  ring  0.  (Sou  LAST  in  6/A3  manual.) 

The  SPli  also  providos  automatic  stack  location  upon  inner  ring 
cal  la.  When  a multi-ring  gate  procedure  segment  (R1  R2  R3)  1b 

called,  it  cun  locate  the  address  of  the  stack  segment  for  the 
current  ring  by  using  the  vulue  in  Kcur  to  index  into  a table  of 
pruuot  stack  pointers,  since  stack  segment  numbers  are  keyed  by 
convention  to  the  current  ring  number. 

Process  Control 

The  Si’ll  implements  a robust  multiprogramming  environment  for 
the  support  of  multiple  processes. 

Process  switching  time  within  the  SLUMP  is  virtually  the  same 
as  for  the  Level  b/Modol  A3,  since  the  SPM  adds  only  the  overheud  of 
loading  the  UBR  and  Hour  registers.  Two  of  the  program  visible 
rugiuturu,  status  (S)  and  program  counter  (P),  are  automatically 
saved  and  restored  upon  interrupt.  The  remaining  registers  have 
their  context  stored  and  restored  under  firmware  control  according 
to  « 32-bit  mask.  The  mask,  settable  under  program  control,  cun  be 
used  by  the  suve  context  (SAV2)  and  restore  context  (KLS2) 
instructions  to  savo/reatoro  any  subset  of  the  program  visible 
registers. 

Hardware  support  for  Interprocess  signulllng/communication  is 
lacking. 

Summary 


Thu  evaluation  of  the  SLUMP  is  summarized  in  Table  8. 

Support  for  a security  kernel  Implementation  wub  a fundamental 
design  goal  of  the  SLUMP,  so  it  is  no  surprise  that  it  scored  so 
well.  What  is  Important  to  note  about  tho  SLUMP  is  that  a 
commorical  minicomputer , the  Lovul  6/Mode.l  A3,  wlvich  provides  none 
of  the  essential  and  convenient  features,  was  enhanced  by  the  SPM  to 
provide  Just  about  all  of  the  desired  features.  The  SPM  is  designed 
to  simply  plug  into  the  6/A3's  MKUABUS  in  place  of  the  commercial 
memory  management  unit.  The  SPM  approach  to  providing  security 
kernel  hardware  features  should  be  applicable  to  other  similarly 
bus-si matured  architectures . 
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DIGITAL  KqUU'MKNT  CORPORATION 


This  evaluation  deals  only  with  tho  POP- 11/45  minicomputer 
offerud  by  Digital  Equipment  Corporation,  Maynard,  Massachusetts 
[28],  The  PUP- 11/45  la  at  the  high  performance  and  of  the  PDP-11 
family  of  upward  compatible  computers.  Tho  11/45  wua  daaignod  for 
high-spuud  real-time  applicationa  and,  whon  configured  with  tho 
Memory  Management  Unit  (MMU),  Modium-to-large-Bcale,  multiple  user, 
intuructivu  applicationa. 

Virtual  Hemorv 

Thu  MMU  provides  an  unpaged  augmented  virtual  memory,  where 
aogmentu  may  range  in  sise  from  32K  words  to  4,096K  words  in  blocks 
of  32  words.  Physical  memory  has  a capacity  of  124K  words. 

Tho  logical  pur  process  address  space  consists  of  4B  4K 
segments.  Thu  11/45  is  a three  domain  machine)  user,  supervisor, 
and  kernel  domains.  Kach  domain  is  associated  with  a set  of  16 
segment  descriptor  registers,  so  a process  virtual  address  apace 
■ consists  of  as  many  am  16  uugmonts  in  user  space,  16  in  supervisor 
space,  and  16  in  kernel  space. 

Accuse  control  information  within  segment  descriptors  define 
three  modus  of  access > null,  ruud-uxeeutu,  and  read-writo-oxocuto. 
In  uddition.  since  program  and  data  segments  can  bo  mapped 
separately  - in  each  domain,  there  are  8 instruction  (I)  space 
augmentation  registers  and  8 data  (D)  space  segmentation  registers  - 
execute  only  and  road  only  execute  access  modoB  are  supported. 

Referenced  and  modified  flags  are  both  supported  within 
segment  descriptor  registers. 

I/O  Accohh  Control 

There  are  no  privileged  1/0  instructions.  Rather,  control, 
status,  and  data  registers  for  1/0  devices  are  located  in  the  high- 
order  4K.  words  of  physical  memory,  and  1/0  device  registers  are 
accessed  like  any  other  memory  locations.  A security  kernel  would 
restrict  I/O  device  accesses  to  itself  by  permitting  only  kernel 
mono  data  segments  to  map  into  the  device  registers  in  physical 
memory. 


Alternatively,  tho  kernel  can  permit  users  to  perform  I/O  by 
mapping  user  segments  to  requested  I/O  device  registers.  An 
Implementation  problem  h.  > u is  that  segments  must  bo  at  least  32 
words  Long  and  the  total  i/O  space  is  only  4K  words. 
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Further,  since  DMA  device  accesses  to  main  memory  are  not 
routed  through  the  Mill),  uny  form  of  user  1/0  must  be  limited  to 
slow-Hpuod,  programmed  1/0  devices, 

Execution  Domainm 

As  stated  previously,  with  the  MMH  there  ere  three  execution 
domainal  user,  supervisor,  and  kernel.  Which  of  the  three  sots  of 
augmentation  registers  io  used  for  address  translation  is  determined 
by  bits  14  and  15  of  the  processor  status  word  (PSW),  The  three 
domains  are  hierarchically  structured  in  terms  of  privilege. 

Data  li>  transferred  between  domains  by  four  instructional  Move 
From  Previous  Instruction  space  (MFP1),  Move  From  Previous  Data 
space  (MFPD),  Move  to  Previous  Instruction  space  (MTP1),  and  Move  to 
Previous  Data  space  (MTPU).  MFP1,  MFPU , MTPD,  and  MTP1  are  designed 
so  that  the  innermost  domain  controls  the  data  transfer.  These 
instructions  can  bo  used  for  argumsnt  validation  only  if  MMU  faults 
can  be  tolerated  within  the  kernel,  otherwise  validation  must  be 
done  in  software. 

There  are  only  three  privileged  instructions  which  may  be 
uxucutod  in  kernel  domain  only:  HALT,  RESET  (External  Bus),  and  Set 
Priority  Level  (in  PSW).  The  MMU  segmentation  registers  and  the  PSW 
uru  located  in  the  high-order  4k  words  of  physical  memory  - along 
with  the  1/0  device  registers  - so  the  kernel  domain  can  restrict 
access  to  these  locations  via  memory  management. 

Transfer  inward  to  kernel  domain  occurs  aa  the  result  of  all 
interrupts  and  via  a Bet  of  trap  instructions  (EMT,  TRAP,  BPT,  LOT), 
Since  ail  trap  and  interrupt  vectors  are  located  In  kernel  virtual 
space,  all  traps  and  interrupts  must  pass  through  kernel  space  to 
get  the  now  program  counter  (PC)  and  PSW.  Thus,  control  cannot  pass 
directly  from  user  to  supervisor  space,  but  must  bo  routed  through 
kernel  apace.  Control  is  passed  outward  by  the  Return  from 
Interrupt  (RTi)  and  Return  from  Trap  (RTT)  instructions. 

Stacks  are  maintained  for  each  domain;  there  la  a stack  pointer 
(SP)  register  for  each  domain.  When  a trap  or  interrupt  occurs,  the 
PC  and  PSW  are  pushed  onto  the  stack  pointed  to  by  the  SF  specified 
by  bits  14,  15  of  the  new  PSW  fetched  from  the  interrupt  or  trap 
vector  stored  In  kernel  space.  The  old  stuck  is  restored  upon  RTI 
or  RTT. 
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Process  Control 


The  MMU  provides  the  multiprogramming  environment  to  support 
multiple  processes* 

Process  switching  is  perhaps  most  inefficient  on  the  PDP-11/45 
compared  to  the  other'  machines  surveyed*  There  are  two  sets  of  6 
general  purpose  registers  (RO  through  R5),  three  SP  registers*  end 
one  PC*  Typically*  the  PC*  the  3 SP*  and  one  sat  of  6 general 
purpose  registers  must  be  saved/restorsd  on  a process  switch*  Each 
register  must  be  saved/restored  individually*  Also,  at  least  32  MMU 
segmentation  registers  - minimally  the  16  user  and  16  supervisor  - 
must  be  aaved/restoved,  each  individually* 

There  is  no  hardware  support  for  interprocess  communication* 
Summary 

The  evaluation  of  the  PDP-11/45  is  summarized  in  Table  9> 

Despite  its  relatively  poor  support  for  multiple  processes,  the 
11/45  la  rated  a good  candidate  for  an  effective  security  kernel 
implementation*  In  fact,  a prototype  seourity  kernel  has  already 
been  successfully  implemented  and  demonstrated  on  an  11/45  [29]. 
Also,  security  kernels  to  provide  a secure  base  for  a prototype 
secure  UNIX  operating  system  are  being  implemented  at  both  MITRE  and 
UCLA  [30]. 

A rating  of  good  can  also  be  extended  to  the  highest 
performance  model  of  the  PDP-11  family,  the  11/70,  on  which  the  MMU 
ia  a standard  feature* 


DATA  GENERAL  ECLIPSE 

: 'i 

The  ECLIPSE  line  of  computers  offered  by  Data  General  A 

Corporation,  Southboro,  Massachusetts , includes  three  machines,  the  ' | 

S/100,  S/200,  and  C/300  [32].  The  latter  two  will  be  evaluated  as  i 

only  they  may  be  configured  with  the  Memory  Allocation  and  ] 

Protection  (MAP)  feature  for  application  as  general  purpoee  computer 

utilities*  * 

Virtual  Memory  | 

With  the  MAP  feature,  main  memory  can  be  expanded  from  its  3 

standard  limit  of  64K  bytes  to  a maximum  of  256K  bytes,  in  J 

increments  of  l6K-byte  modules.  MAP  provides  a paged  virtual  memory  J 
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:cellent 


organization  with  a 2K  bytu  pagu  uize.  Thera  are  3 seta  of  hardware 
mapping  regiatora,  two  user  maps  and  one  map  for  DMA  device 
transfers.  Each  uaur  map  conaiata  of  32  mapping  registers,  ao  the 
logical  addruaa  apace  par  uaer  process  conaiata  of  32  2K  pages. 

A aingle  accaaa  control  bit,  tho  write-protaction  bit.  la 
provided  within  each  page  deacriptorj  the  permitted  modes  of  par 
page  eocene  are  null,  read,  and  read-write.  Referenced  and  modified 
bite  are  not  aupported, 

I/O  Accaaa  Control 


Thu  KCLIPSK  computora  are  attractive  for  their  aupport  of  1/0 
accuaa  controla.  I/O  inatructiona  are  not  privileged*  Rather,  the 
MAP  fuutare  include#  two  64-bit  mapa  that  control  acceeaaa  by  the 
two  uaer  processes  to  the  64  I/O  devlcea  that  may  be  attached  to  the 
I/O  bua*  The  active  bit  map  permitting,  the  active  uaer  proceaa  may 
perform  I/O  on  both  alow  npeed  and  DMA  1/0  devlcea*  If  the  bit 
corresponding  to  a givon  device  within  the  active  bit  map  la  "1", 
the  active  proceaa  can  execute  I/O  inatructiona  on  that  device*  If 
"0",  tho  active  proceaa  may  not  accaaa  the  device  and  a protection 
fault  will  occur  if  ecceea  la  attempted*  Thin  I/O  device  acceae 
protection  can  bo  disabled  when  the  CPU  is  operating  in  privileged 
supervisor  inodo* 

Also,  au  stated  above,  tho  MAP  feature  provides  a set  of 
mapping  registers  used  to  translate  memory  addresses  presented  by 
the  data  channel*  All  DMA  I/O  devlcea  access  main  memory  through 
tho  data  channel,  so  all  DMA  device  accesses  to  main  manory  are 
mapped*  This  mapping  provides  write  protection  on  pages  within  the 
data  channel's  logical  address  apace*  An  attempt  to  write  (data 
channol  input)  into  a write  protected  memory  location  dooa  not  cause 
a protection  fault)  rather,  the  attompt  simply  fails  and  a bit  is 
set  within  a MAP  status  register. 

1/0  on  an  ECLIPSE  secured  by  a security  kernel  would  be 
controlled  in  the  following  manner*  Usera  would  requaat  access  to 
1/0  devices  from  the  kernel*  Tho  kernel  would  grant  or  deny  access 
baaed  on  the  security  levels  of  the  device  and  requesting  process, 
the  mode  of  access,  and  whether  or  not  tho  device  is  in  use.  If 
access  is  granted,  the  kernel,  operating  in  supervisor  mode,  would 
set  the  appropriate  bit  of  the  64-blt  I/O  device  map  for  the  active 
(requesting)  process.  When  processes  are  switched,  an  1/0  devicn 
bit  tuap  must  be  loaded  from  memory  with  a map  image  for  the  new 
active  proceaa.  Further,  so  that  DMA  device  transfers  can  occur  on 
behalf  of  non-active  processes,  tho  kernel  must  keep  the  data 


73 


channel  map  consistent  with  Che  access  requirements  of  all  processus 
that  have  initiated  DMA  transfers. 

Execution  Domains 

MAP  provides  3 domains)  two  user  mapped  domains  and  one 
supervisor  unmapped  domain.  Thera  are  only  two  levels  of  privilege 
however,  user  and  supervisor.  Supervisor  domain  can  enable /disable 
MAP's  various  memory  protection  fcaturos  and  can  access  directly  Che 
first  b2K  bytes  of  main  memory. 

Transfer  into  supervisor  domain  occurs  as  the  reault  of  all 
Interrupts  and  memory  protection  faults,  and  by  the  execution  of  the 
System  Cull  (SYC)  instruction  in  user  domain.  SYC  transfers 
execution  to  a point  definud  by  a single  location  in  low  main  memory 
(location  2). 

Data  transfer  botweun  user  and  supervisor  domain  is  quite 
convenient;  there  are  two  means  of  transfer  at  the  disposal  of  the 
supervisor  domain.  One  is  use  of  the  MAP  SINGLE  CYCLE  instruction 
which  permits  the  supervisor  to  use  the  last  user  map  enabled  for 
the  next  memory  reference.  The  MAP  SINGLE  CYCLE  Instruction  is  one 
of  several  1/0  instructions  used  to  program  the  MAP.  The  MAP  is 
treated  like  any  other  1/0  device  and  the  I/O  device  bit  map  is  used 
to  make  the  MAP  accessible  only  to  the  supervisor  domain  and 
Inaccessible  to  user  propasses.  Hence  use  of  MAP  SINGLE  CYCLE  is 
restricted  to  supervisor  domuin. 

The  othur  means  of  dots  transfer  is  through  a special  mapping 
regiutur  for  logical  page  31  of  supervisor  address  space.  As  noted, 
logical  pages  0 through  30  are  unmapped,  meaning  pages  0 through  30 
of  physical  memory  arc  accessed  directly  in  supervisor  domain.  This 
special  map  allows  the  supervisor  domain  to  transfer  multiple  data 
words  to/from  user  space  without  resorting  to  MAP  SINGLE  CYCLE, 
which  can  be  time  consuming. 

Both  meauB  ot  data  tranafor  can  be  used  to  validate  the  data 
tranufurred,  provided,  of  course,  memory  protection  faults  can  be 
tolerated  within  supervisor  domain. 

No  support  for  stack  switching  on  domain  crossing  is  provided. 
Process  Control 


Addition  of  the  MAP  option  provides  the 
protection  features  necessary  for  a multiplo 


relocation  and 
process  environment. 
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Although  them  are  only  two  user  maps,  process  switching  is 
reasonably  officiant  because  of  the  fast  and  floxible  manner  in 
which  all  of  the  maps  - two  usor  maps,  the  DMA  map,  and  the  two  user 
1/0  device  bit  oapst  112  registers  in  all  - can  be  stored/loaded, 

Any  number  of  contiguous  registers  can  be  stored/loaded  Into/from 
main  memory  by  DMA  at  approximately  1 microsecond  per  register* 

It  tekee  only  two  instructions  to  save  context  - 4 general 
purpose  reglatere,  4 etack  registers,  program  counter  - of  a user 
process t context  is  saved  automatically  upon  interrupts  and  faults. 
Only  a single  instruction  is  necessary  to  load  a context.  Total 
context  switch  latsncy  is  on  the  order  of  15  microseconds. 

There  is  no  hardware  support  for  intorproceaa  communication. 

The  evaluation  of  the  ECLIPSE  S/200  and  ECLIPSE  C/300  is 
summarized  in  Tablu  10. 

The  two  machinuB  are  rated  fair  to  good  candidates  for  an 
effective  kornal  implementation.  Although  relatively  weak  in  the 
areas  of  process  support,  protection  domains,  and  access  rights,  the 
ECLIPSE  line  offers  excellent  hardware  support  in  the  area  of  I/O 
control. 


HEWLETT  PACKARD 

Orly  one  Hewlett  Packard  computer  eystem,  the  HP  3000  Series  II 
[32],  Is  evaluated.  The  HP3000/I1  ie  a general  purpose  computer 
utility  designed  for  both  batch  and  interactive  data  processing.  It 
is  a stack  bused  architecture  end  as  such  provides  many  powerful 
operating  features { e.g, , shared,  reentrant,  and  recursive  coda 
segments,  efficient  parameter  passing  and  subprogram  linkage.  Three 
models  are  available;  5,  7,  and  9,  and  this  evaluation  applies  to 
all  three. 

Virtual  Memory 

The  UP3QOO  provides  a segmented  virtual  memory  organization 
which  is  tailored  toward  ita  stack  based  architecture.  Code 
segments  may  be  32K  by tee  in  length;  data  augments  may  range  up  to 
64K  bytes.  Physical  main  memory  ranges  from  128K  bytes  of 
semiconductor  memory  up  to  512K  bytes.  In  modules  of  f>4K  bytes. 


Program  addressing  is  not  descriptor  based  in  the  conventional 
sense,  however,  and  access  checking  capabilities  are  not  supported  - 
a serious  deficiency.  In  all  of  the  virtual  or  mapped  memory 
systems  examined  thus  far,  pages  or  segments  are  defined  by  and 
addressed  through  descriptors.  User  program  addresses  ere  virtual 
and  are  translated  into  physical  main  memory  addressee  using 
descriptor  information,  and  process  access  rights  to  the  accessed 
page  or  segment  are  checked.  On  the  HP3000,  all  code  and  data 
augments  currently  in  use  on  the  system  are  defined  by  four-word 
entries  within  a global  code  segment  table  (CST)  and  global  data 
augment  table  (DST).  Those  entries  contain  some  of  the  information 
that  conventional  segment  descriptors  usually  hold)  an  absence  bit, 
referenced  bit,  segment  address  in  main  memory  (if  resident)  or  on 
disk  (if  not  resident);  but  since  these  entries  are  global,  they  do 
not  contain  access  control  information  which  is  conventionally 
process  local. 

Program  addressing  works  in  the  following  manner.  A Bet  of  CPU 
registers  defines  the  current  executing  code  segment)  the  start  and 
end  of  the  segment  and  the  current  point  of  execution  (program 
counter).  Another  set  ot  registers  defines  the  current  data 
segment,  some  portion  of  which  is  treated  as  a stack;  these 
registers  define  the  start  and  end  of  the  data  segment  and  the 
beginning  and  top  of  the  stack. 

All  instruction  fetches  are  from  the  current  coda  segment, 
Transfer  of  execution  to  another  code  segment  is  accomplished  by  a 
special  hardware  Instruction  (PCAL),  which  ubcs  linkage  information 
contained  in  a segment  transfer  table  (SIT)  within  the  current  coda 
segment  to  locate  the  new  code  segment  entry  in  the  CST.  PCAL  may 
fault  to  privileged  software  if  the  addressed  code  segment  contains 
information  which  PCAL  uses  to  determine  whether  the  transfer  is 
legal. 

All  operands  are  fetched/stored  from/into  the  current  data 
segment.  A process  has  both  read  and  write  access  to  its  current 
data  augment,  since  it  is  not  possible  to  grant  a process  just  read 
access  or  write  access.  The  process  must  invoke  the  supervisor  to 
change  its  current  data  segment. 

1/0  Acceus  Control 


1/0  instructions  can  only  be  executed  in  privileged  processor 
mode;  user  processes  cannot  do  1/0. 

The  selector  channel  accesses  main  memory  directly  using 
absolute  memory  addresses;  DMA  devices  accesses  to  memory  are  not 
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mediated*  Note  also  that  programmed  1/0  through  the  multiplexer 
channel  involves  unmediated  direct  acceae  to  main  memory. 

Execution  Domains 

Two  execution  domain*  are  provided!  privileged  and  user 
domain.  Software  executing  in  privileged  domain  can  1)  execute 
privileged  instructions,  2)  directly  address  all  areas  of  physical 
memory i and  3)  invoke  cods  segments  that  have  bean  declared 
uncaliabi*  (i.a.,  the  uncallable  bit  is  eat  in  the  local  program 
label  or  STT  entry).  Also,  instruction  fetches  to  the  current  code 
segment  end  data  raferanc.es  to  the  current  data  segment  are  not 
subject  to  bounds  checking.  Stack  undarflow  is  also  permitted  In 
privileged  domain. 

A security  kernel  must  run  alone  in  privileged  domain.  An 
operating  system  must  run  as  a process  in  user  domain. 

User  software  initiated  transfer  into  privileged  domain  is 
accomplished  by  the  Procedure  Call  (PCAL)  inatruction.  PCAL  uses 
linkage  information  resident  within  the  calling  and  called  code 
augments'  segment  transfer  tables  (STT).  Entrance  into  privileged 
domain  results  from  the  invocation  of  a procedure  contained  within  a 
code  segment  assigned  to  privilege  domain.  PCAL  la  very  flexible 
because  multiple  entry  points  into  privileged  domain  segments  are 
provided  through  STT  linkage  information. 

Parameters  are  passed  to  privileged  domain  software  on  ths 
user's  current  data  stack.  Pointers  that  ere  displacements  from  thu 
top  of  the  ueers  stack  may  bu  passed  as  parameters.  Validation  that 
these  pointers  reference  locations  within  the  bounde  of  the  user's 
stuck  must  be  performed  entirely  by  software. 

Sepuruto  stacks  are  maintained  automatically  in  user  and 
privileged  domain.  On  transfers  into  privileged  domain  via  external 
and  most  internal  interrupts!  an  Interrupt  control  stack  (ICS)  Is 
set  up  by  tne  hardware  implemented  interrupt  handler. 

Process  Control 


Thu  segmented  virtual  memory  organization  provides  a good 
environment  for  multiple  processes,  if  the  environment  is  properly 
managed  by  privileged  domain  software.  Hardware  support  for  a fast 
process  switch  is  provided. 

There  are  a number  of  processor  registers  that  are 
automatically  saved  on  interrupts  by  the  hardware  interrupt  handler: 
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current  code  and  data  segment  registers,  Index  register)  status 
register)  top  of  stack  registers.  The  contents  of  these  registers 
are  saved  on  the  user  process'  stack.  Two  instructions  (SETR,  PSHR) 
are  provided  to  sava/load  on/from  the  currant  atack  any  subset  of 
the  above  registers.  Note,  to  load  (5-bank,  DB,  DL,  Z,  status)  or 
store  (DB,  Dfi-bank,  S-Hank)  some  of  these  registers  require 
privileged  domain  operation.  Unlike  a lot  of  virtual  memory 
machines,  no  mapping  registers  need  be  aavad/loadad  during  a process 
switch.  Just  memory  locations  1 (pointer  to  CBT  extension  for 
currant  program)  and  A (pointer  to  process  control  block  for  currant 
process)  must  be  loaded  to  define  the  address  epees  of  the  new 
process. 

There  is  no  support  for  interprocess  communication  or 
synchronization. 

Summary 

The  evaluation  is  summarized  in  Table  11.  Because  the 
essential  access  checking  capability  on  data  segment  access  is  not 
provided,  the  HP3000  Series  II  is  rated  an  uxtramsly  poor  choice  for 
on  affective  kernel  implementation. 
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SECTION  IV 


CONCLUSION 


Table  12  la  an  attempt  to  rate  the  various  machines  with 
respect  to  ouch  other.  To  do  so,  a rating  from  0 to  A la  applied  to 
each  vendor'*  machine,  or  eerlee  of  machines,  in  each  of  the  four 
areas  of  evaluation.  A rating  of  0 is  assigned  if  the  essential 
features  are  not  provided!  a rating  of  1 applies  if  the  essentials 
are  provided,  but  none  of  the  conveniences  are!  a rating  of  A 
applies  if  all  essentials  and  conveniences  are  provided!  ratings 
between  1 and  A ure  assigned  depending  on  the  number  of 
conveniences. 

Thu  SCOMP  and  the  PRIME  machines  are  clearly  the  boat 
candidates.  SLUMP  was  designed  to  support  a security  kernel  and 
ratou  the  best  in  the  area  of  1/0  control}  the  SCOMP's  Security 
Protection  Module  (8PM)  Is  a descriptor-based  general  access 
controller  that  Includes  I/O  devices  within  the  virtual  environment. 
PRIME  rates  the  best  on  Process  Control  because  of  Its  innovative 
support  for  interprocess  synchronization  and  its  shared  segment 
table  arrangement. 

The  PDP-11/A5  stands  next,  all  alone!  the  11/AS  has  already 
exhibited  itself  as  a good  hardware  base  for  a kernel 
implementation. 

The  ECLIPSE  lino,  GA-16/AA0,  Varian  70  Series,  MODCOMP  1V/35, 

IBM  Series  1/Model  5,  and  INTERDATA  8/32  all  rate  roughly  the  same} 
all  provide  the  essentials  and  kernel  implementations  are  certainly 
feasible.  MODCOMP  1V/J5  is  notable  for  its  strong  support  for 
multiprogramming  - as  many  uh  15  sets  of  mapping  registers  for  user 
processes.  The  ECLIPSE  line  rates  highly  for  its  1/0  protection. 
INTEROATA's  Load  Real  Address  (LRA)  Instruction  Is  the  best  eolutlon 
of  all  for  argument  validation.  LRA  converts  a user  virtual  address 
to  a physical  address  and  seta  condition  codee  on  an  accaas  violation 
rather  than  generating  a fault,  which  may  not  always  be  tolerable  in 
privileged  domain, 

Thu  UP3000  Suries  II  rates  as  a bad  architectural  base  becauau 
of  Its  luck  of  access  checking  capability. 
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